- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you MVZIP more than one field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My data is in JSON format, and contains arrays of JSON data that can be from 1 to N blocks. In this JSON, fields can have the same value across the blocks.
If I have 3 multivalue fields across those blocks, how do I combine them? With mvzip, I can combine two. This lets me parse out the specific value for another value.
FieldA FieldB FieldC
Quick Brown Fox
Jumped Brown Fox
Over Brown The
So if I wanted to find all values of FieldA that corresponded to Brown Fox, then I want to be able to zip up FIeldA+FieldB+FieldC, then look for the specific combination of Brown and Fox. For 2 fields, I have done this with mvzip. How do I do this with three fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this
| makeresults
| eval FieldA="Quick,Jumped,Over", FieldB="Brown,Brown,Brown", FieldC="Fox,Fox,The"
| makemv delim="," FieldA
| makemv delim="," FieldB
| makemv delim="," FieldC
| stats list(FieldA) as FieldA,list(FieldB) as FieldB,list(FieldC) as FieldC
| eval temp=mvzip(FieldA,mvzip(FieldB,FieldC))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is an old topic, but i recently had the same issue. So maybe it will help someone else.
the mvzip takes 2 required and one optional parameter. You can only combine two fields at a time, followed by any character as a delimiter. in the example below, I use a pipe character |
But i have discovered, you can nest the mvzip and then extract them out
so for your example using FieldA, FieldB, and FieldC
A simple mvzip would be:
| eval combined_data=mvzip(FieldA,FieldB,"|")
and that's it, but wait there's more, proceed with nesting
| eval combined_data=mvzip(mvzip(FieldA,FieldB,"|"),FieldC,"|")
next expand the mv field
| mvexpand combined_data
Finally, extract the fields in the same order you combined them:
| rex field=combined_data "^(?<FieldA>[^|]*)\|(?<FieldB>[^|]*)\|(?<FieldC>[^|]*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this
| makeresults
| eval FieldA="Quick,Jumped,Over", FieldB="Brown,Brown,Brown", FieldC="Fox,Fox,The"
| makemv delim="," FieldA
| makemv delim="," FieldB
| makemv delim="," FieldC
| stats list(FieldA) as FieldA,list(FieldB) as FieldB,list(FieldC) as FieldC
| eval temp=mvzip(FieldA,mvzip(FieldB,FieldC))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help. I didn't realize I could use mvzip inside of an mvzip. Once I did that, it worked fine to find the specific cases we needed. Thanks!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
