Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract fields from multi value fields

chiwang
Explorer
‎02-28-2013 01:50 PM

I am trying to create a new fields from a multi value fields. Here's an example:

group_id, user_id  user_address         user_phone_number
a         123      cityA, NY, USA       123-234-345
          234      cityBC, NJ, USA      234-345-345
b         567      cityDEF, NY, USA     234-345-456

stats list(user_id), list(user_address), list(user_phone_number) by group_id

user_id, user_address and user_phone_number are multi value fields.
I want to be able to extract state information from user_address to generate a table like this

group_id, user_id  state         user_phone_number
a         123      NY            123-234-345
          234      NJ            234-345-345
b         567      NY            234-345-456

How can I achieve this?

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-28-2013 02:17 PM

The same way as extracting it from a single value field:

| stats count | fields - count | eval foo = "New York City, NY, USA;Los Angeles, CA, USA" | makemv foo delim=";" | rex field=foo ", (?<state>[A-Z][A-Z]),"
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-04-2013 07:55 AM

The issue is not the expression, that worked fine. Apparently your Splunk version treats multi-valued fields differently.

0 Karma
Reply

chiwang
Explorer
‎03-04-2013 07:53 AM

Updated with (?[^,]+,[A-Z]+), no states are returned.

foo                                 state
New York City, NY, USA              
Los Angees, CA, USA
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎03-01-2013 02:18 PM

Maybe try a different regex?
(?[^,]+,[A-Z]+)

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 01:34 PM

I see. Over here in 5 it works like a charm.

0 Karma
Reply

chiwang
Explorer
‎03-01-2013 01:25 PM 

foo                                 state
New York City, NY, USA              NY
Los Angees, CA, USA

CA is not listed
I am using splunk 4.3.1.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 09:04 AM

What result are you getting when you enter my example query into splunk?

0 Karma
Reply

chiwang
Explorer
‎03-01-2013 08:44 AM

With this query, if I run

stats list(user_id), list(state), list(user_phone_number) by group_id

I will get this: 

group_id, user_id  state         user_phone_number

a         123      NY            123-234-345

          234                    234-345-345

b         567      NY            234-345-456

Only the first state in a group is displayed

Any idea how to get a full list of states?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...