How to create an array of values from a field?

naveenurs · ‎07-26-2013

Hello,

I am trying to parse a field like the one below into an array of Key/Value pairs and access each array value separately

uatoken:
Macintosh; Intel Mac OS X 10_7_5
Windows NT 6.2; WOW64; rv:22.0
compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; ARM; Touch; WPDesktop
compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0
compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0
Android; Mobile; rv:22.0
Macintosh; Intel Mac OS X 10_7_5
compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0
compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0
Linux; U; Android 4.0.3; en-us; HTC_X515C Build/IML74K
compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0
compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0
Windows NT 6.1; chromeframe/28.0.1500.72
Macintosh; Intel Mac OS X 10_8_4
compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0

The end result that I am looking for is
uatoken[0] OR uatoken0=compatible
uatoken[1] OR uatoken1=MSIE 10.0
uatoken[2] OR uatoken2=Windows NT 6.1
uatoken[3] OR uatoken3=Trident/6.0

How can I achieve this in Splunk?

Thanks in advance!!!

naveenurs · ‎07-26-2013

I was able to accomplish what I was looking for.

Is there a better / more efficient way than this to accomplish this?

l0pher · ‎06-03-2014

Thanks! mvindex is the function I was looking for.

How to create an array of values from a field?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms