Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Expand two multi value field with different format using mvexpand

ahmadshakir1952
Explorer
‎01-06-2020 01:44 AM

Trying to expand two multi value field using mvexpand for below scenario:

Jhon purchased Mango and Banana both.
Colins purchased Papaya and Brad purchased Apple.

alt text

My current output not showing Apple is purchased by Brad.
alt text

Part of code for expanding used as below: 

| table Name,Fruit | eval sample = mvzip(Name,Fruit) | mvexpand sample | makemv sample delim="," | eval Name=mvindex(sample,0)| eval Fruit=mvindex(sample,1)

Please help to get the desired output as per last picture.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎01-06-2020 04:30 AM

UPDATED:

| makeresults 
| eval Name=split("Jhon,Colins,Brad",",") 
| eval Fruit=split("Mango,Banana,Papaya,Apple",",") 
| eval field_x=split("eat,like,love,taste",",") 
| eval field_y=split("one,two",",") 
| fields - _time 
| rename COMMENT as "this is sample data you provided" 
| rename COMMENT as "From here, the logic" 
| eval _counter=mvrange(0,mvcount(Fruit)) 
| eval Name = mvappend(mvindex(Name,0),Name) 
| stats list(*) as * by _counter
| foreach * 
    [ eval <<FIELD>> = case(mvcount(<<FIELD>>) = 2, mvindex(<<FIELD>>,_counter % 2),true(),mvindex(<<FIELD>>,_counter))] 
| fields Name field_x field_y Fruit

Hi, @ahmadshakir1952
I don't use mvexpand.
but How about this?

Reply

ahmadshakir1952
Explorer
‎01-06-2020 08:40 PM

Here i have given example of two filed. Can you please for 2 more fields which is also multi-valued. i.e: field name: field_x and field_y then what would be the for each condition.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-07-2020 03:44 AM

Hi @ahmadshakir1952
My answer updated. please confirm.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-06-2020 04:29 AM

@ahmadshakir1952

Your posted images not providing proper information regarding field type and so on. So can you please provide some sample events OR images from Splunk search?

Meanwhile check below thing also..

The value of Fruit field against name Jhon is multivalued? Like output of below search?

| makeresults 
| eval name="Jhon|Colins|Brad",friuts="Mango#Banana|Papaya|Apple", name=split(name,"|"),friuts=split(friuts,"|") , tmp=mvzip(name,friuts) 
| mvexpand tmp 
| eval name=mvindex(split(tmp,","),0),friuts=mvindex(split(tmp,","),1),friuts=split(friuts,"#")
| rename COMMENT as "This is sample of your search" 
| table name friuts

Then try to append | mvexpand friuts .

0 Karma
Reply

ahmadshakir1952
Explorer
‎01-06-2020 06:42 PM

Name and Fruit both are from different sourectype , but they both sharing a common ID field. In here example, Jhon is multi-valued and In name column its not certain which value is going to be multivalue in Fruit column/field.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-06-2020 10:43 PM

@ahmadshakir1952
Can you please share sample events from both sourcetype? So I can help you design search.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...