1multiple value field should again be further spli...

vn_g · ‎03-13-2020

Am successfully able to generate “Final_EL” multivalue field for each event.
Final_EL = 1584081083.114 ABC-12345 Final_EL = 1584081089.114 DEF-678910

Requirement :
Each event should have the multiple value fields(ET and EMN)
ET= 1584081083.114 ET = 1584081089.114
EMN = ABC-12345 EMN = DEF-678910

Tried using both the below ways , but both doesnt work
| rex max_match=0 field=Final_EL "(?((.*?),){0,})"
| eval ET = mvindex(split(Final_EL," "),0)

Kindly help.

woodcock · ‎03-14-2020

It is VERY unclear what you need but perhaps this example will provide you with a template:

index="systemdetails" AND source="sytemdetails*" AND Condition="0"
| append [ |makeresults
| eval EL = "1584081083.114 ABC-12345,1584081089.114 DEF-678910"
| makemv delim="," EL 
| eval DROPME="true" ]
| eventstats list(EL) AS EL
| where isnull(DROPME)
| eval Final_EL = mvindex(EL, -1)
| rex field=Final_EL "^(?<ET>\S+)\s+(?<EMN>\s+)"

manjunathmeti · ‎03-14-2020

Try this:

index=systemdetails source=sytemdetails* Condition = 0 
| eval 
    [ search index=systemdetails source=sytemdetails* Condition != 0 
    | head 1 
    | eval EL = "1584081083.114 ABC-12345 , 1584081089.114 DEF-678910" 
    | fields EL 
    | return EL ] 
| eval Final_EL = split(replace(EL, "\s*,\s*", ","), ",") 
| mvexpand Final_EL 
| eval ET_EMN = split(Final_EL, " "), ET = mvindex(ET_EMN, 0), EMN = mvindex(ET_EMN, 1)

to4kawa · ‎03-14-2020

your search
| eval ET=split("1584081083.114,1584081089.114",",")
| eval EMN=split("ABC-12345,DEF-678910",",")

1multiple value field should again be further splited by a delimiter (output : 2 multivalue fields) for every single event.

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...