Solved: Joining 2 Multivalue fields to generate new field ...

ltrand · ‎04-24-2020

I'm working with some json data that contains 1 field with a list of keys and 1 field with a list of values. These pairs may change event to event, but item 1 in field 1 will always align with item 1 in field 2. So I'd like to join these together so that I get a field name of field1_value1 with the data of field2_value1.

A sample of where I am right now in this:

| makeresults count=1
| eval event.key="email,user,event_id,state"
| eval event.values="user@acme.corp,Jon Smith,1234,Open"
| makemv delim="," event.key
| makemv delim="," event.values
|eval keyjoin=mvzip('event.key','event.values')
| mvexpand keyjoin

So this will properly join the data into the field keyjoin, but now I have to take out the first value in it to be the field name and the second to be the field value. Any advice?

Edit:
The desired end state would be the ability to add further search criteria after formatting the data. This is going to drive several panels, so obviously more than that, but if I can get to that stats, then I can go from there. Just need to solve for MISSING SPL HERE

| makeresults count=1
| eval event.key="email,user,event_id,state"
| eval event.values="user@acme.corp,Jon Smith,1234,Open"
| makemv delim="," event.key
| makemv delim="," event.values
|eval keyjoin=mvzip('event.key','event.values')
| mvexpand keyjoin
| **MISSING SPL HERE**
| stats count by state, user

ltrand · ‎04-24-2020

I finally figured out the solution here:

| makeresults count=1
 | eval event.key="email,user,event_id,state"
 | eval event.values="user@acme.corp,Jon Smith,1234,Open"
 | makemv delim="," event.key
 | makemv delim="," event.values
 |eval keyjoin=mvzip('event.key','event.values')
 | mvexpand keyjoin
 | rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
 | eval {key} = value
 | stats count by state

View solution in original post

ltrand · ‎04-24-2020

I finally figured out the solution here:

| makeresults count=1
 | eval event.key="email,user,event_id,state"
 | eval event.values="user@acme.corp,Jon Smith,1234,Open"
 | makemv delim="," event.key
 | makemv delim="," event.values
 |eval keyjoin=mvzip('event.key','event.values')
 | mvexpand keyjoin
 | rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
 | eval {key} = value
 | stats count by state

sjbriggs · ‎11-08-2021

This helped me combine the values of two multi-valued fields which was helpful. I'm just trying to figure out how to combine 3 values now. Basically one mvfield has attributes of things changed in a user account. The second field has the old value of the attribute that's been changed, while the 3rd field has the new value that the attribute has been changed to.
attributes=group,role
oldvalue=user,admin
newvalue=superuser,null

The 3 fields don't consistently have the same count of attributes so the dynamic method recommended certainly helped. I'm just struggling to reverse engineer it to handle 3 multivalue fields. Any suggestions?

richgalloway · ‎04-24-2020

There is an example of this in the Docs. See Example 3 under mvexpand in the Search Reference manual (https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Mvexpand#Examples).

---
If this reply helps you, Karma would be appreciated.

ltrand · ‎04-24-2020

Sorry if I wasn't clear. Ultimately I would like to be able to do further conditionals in the search, so I need to be able to do something like | stats count by state. So state must be a fieldname with the value Open.

Joining 2 Multivalue fields to generate new field value combinations

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk