1multiple value field should again be further spli...

vn_g · ‎03-13-2020

Am successfully able to generate “Final_EL” multivalue field for each event.
Final_EL = 1584081083.114 ABC-12345 Final_EL = 1584081089.114 DEF-678910

Requirement :
Each event should have the multiple value fields(ET and EMN)
ET= 1584081083.114 ET = 1584081089.114
EMN = ABC-12345 EMN = DEF-678910

Tried using both the below ways , but both doesnt work
| rex max_match=0 field=Final_EL "(?((.*?),){0,})"
| eval ET = mvindex(split(Final_EL," "),0)

Kindly help.

woodcock · ‎03-14-2020

It is VERY unclear what you need but perhaps this example will provide you with a template:

index="systemdetails" AND source="sytemdetails*" AND Condition="0"
| append [ |makeresults
| eval EL = "1584081083.114 ABC-12345,1584081089.114 DEF-678910"
| makemv delim="," EL 
| eval DROPME="true" ]
| eventstats list(EL) AS EL
| where isnull(DROPME)
| eval Final_EL = mvindex(EL, -1)
| rex field=Final_EL "^(?<ET>\S+)\s+(?<EMN>\s+)"

manjunathmeti · ‎03-14-2020

Try this:

index=systemdetails source=sytemdetails* Condition = 0 
| eval 
    [ search index=systemdetails source=sytemdetails* Condition != 0 
    | head 1 
    | eval EL = "1584081083.114 ABC-12345 , 1584081089.114 DEF-678910" 
    | fields EL 
    | return EL ] 
| eval Final_EL = split(replace(EL, "\s*,\s*", ","), ",") 
| mvexpand Final_EL 
| eval ET_EMN = split(Final_EL, " "), ET = mvindex(ET_EMN, 0), EMN = mvindex(ET_EMN, 1)

to4kawa · ‎03-14-2020

your search
| eval ET=split("1584081083.114,1584081089.114",",")
| eval EMN=split("ABC-12345,DEF-678910",",")

1multiple value field should again be further splited by a delimiter (output : 2 multivalue fields) for every single event.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!