I have data that represents values on bidirectional connections for a graph structure.
For example, each event has fields like
NodeA: "nodea"
NodeB: "nodeb"
Forward_Metric: 5
Reverse_Metric: 3
Usually, I want the data in this format, but occasionally, I'd like to separate this line into 2 events like this
NodeA: "nodea"
NodeB: "nodeb"
Metric: 5
and
NodeA: "nodeb"
NodeB: "nodea"
Metric: 3
What I've done is create a string with the multiple events that I then split up into an mv and deal with that, like this:
...
| eval combined=NodeA.",".NodeB.",".Forward_Metric.";".NodeB.",".NodeA.",".Reverse_Metric
| fields _time, combined
| makemv delim=";" combined
| mvexpand combined
| rex field=combined "(?<NodeA>.*),(?<NodeB>.*),(?<Metric>.*)"
| fields - combined
Is there anything in splunk to eliminate any of these steps? Or just a better way to do it?
Thanks!
... View more