Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract fields from multi value fields

chiwang
Explorer
‎02-28-2013 01:50 PM

I am trying to create a new fields from a multi value fields. Here's an example:

group_id, user_id  user_address         user_phone_number
a         123      cityA, NY, USA       123-234-345
          234      cityBC, NJ, USA      234-345-345
b         567      cityDEF, NY, USA     234-345-456

stats list(user_id), list(user_address), list(user_phone_number) by group_id

user_id, user_address and user_phone_number are multi value fields.
I want to be able to extract state information from user_address to generate a table like this

group_id, user_id  state         user_phone_number
a         123      NY            123-234-345
          234      NJ            234-345-345
b         567      NY            234-345-456

How can I achieve this?

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-28-2013 02:17 PM

The same way as extracting it from a single value field:

| stats count | fields - count | eval foo = "New York City, NY, USA;Los Angeles, CA, USA" | makemv foo delim=";" | rex field=foo ", (?<state>[A-Z][A-Z]),"
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-04-2013 07:55 AM

The issue is not the expression, that worked fine. Apparently your Splunk version treats multi-valued fields differently.

0 Karma
Reply

chiwang
Explorer
‎03-04-2013 07:53 AM

Updated with (?[^,]+,[A-Z]+), no states are returned.

foo                                 state
New York City, NY, USA              
Los Angees, CA, USA
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎03-01-2013 02:18 PM

Maybe try a different regex?
(?[^,]+,[A-Z]+)

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 01:34 PM

I see. Over here in 5 it works like a charm.

0 Karma
Reply

chiwang
Explorer
‎03-01-2013 01:25 PM 

foo                                 state
New York City, NY, USA              NY
Los Angees, CA, USA

CA is not listed
I am using splunk 4.3.1.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 09:04 AM

What result are you getting when you enter my example query into splunk?

0 Karma
Reply

chiwang
Explorer
‎03-01-2013 08:44 AM

With this query, if I run

stats list(user_id), list(state), list(user_phone_number) by group_id

I will get this: 

group_id, user_id  state         user_phone_number

a         123      NY            123-234-345

          234                    234-345-345

b         567      NY            234-345-456

Only the first state in a group is displayed

Any idea how to get a full list of states?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...