Solved: Re: Creating a multivalue field from a result?

dshpritz · ‎12-26-2013

Hey everyone,

So this feels like something I should be able to do with the standard search language, but I am failing at it.

I have a result, coming from a custom command, that contains field like this:

entries.0.category\_name, entries.1.category\_name,...,entries.n.category\_name

I would like to take all of these and either create a multi-value field with all of the values in them, or create just one string joining all of the values of entries.*.category_name together, with a comma.

I want something like:

| eval mvjoin(entries.*.category_name, ",")

But Splunk does not like that.

Any thoughts?

Thanks,

Dave

_d_ · ‎12-27-2013

Try this:

...| eval categories = "" | foreach entries.*.category_name [eval categories='<<FIELD>>' + "," + categories]| makemv delim="," categories

View solution in original post

_d_ · ‎12-27-2013

Try this:

...| eval categories = "" | foreach entries.*.category_name [eval categories='<<FIELD>>' + "," + categories]| makemv delim="," categories

aelliott · ‎12-26-2013

So basically he has fields that are named "entries.InsertNumberHere.category_name" and would like to combine them into one multi-value field. Variably Named columns.

dshpritz · ‎12-26-2013

Hey somesoni2,

Thanks for the suggestion, but I want to join the values across an unknown number of fields, each named entries.n.category. That is, my example above is the field names, not the value in the fields.

Thanks,

Dave

somesoni2 · ‎12-26-2013

Try split command.

| | eval fieldName=split(fieldName, ",")

This will split value in the fieldName by comma and create a multivalued field out of it.

Creating a multivalue field from a result?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...