https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344774#M39833 <P>Ahhbone last thing. Check example 3 in the splunk mvexpand command doc<BR /><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand</A></P> Fri, 09 Mar 2018 23:39:25 GMT damiensurat 2018-03-09T23:39:25Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344772#M39831 <P>Hi<BR />I have the following syntax that extract multiple values for the same fields in an event.</P> <P>This is the query:</P> <PRE><CODE>index=.... | rex max_match=100 "(?&lt;connBlock&gt;\d+)\s+(?&lt;connector&gt;[\d\w]+)\s+Located\s+at\s+STA:\s*(?&lt;sta_coord&gt;[\d\w[^,]+) </CODE></PRE> <P>For this query I get the following fields for each event:</P> <PRE><CODE>connBlock = [500 600 700 800 ...] and stat_coord [A345 A3422 B2434 ...] </CODE></PRE> <P>Those events also have a field called testNum which looks like "AFKE-232322".</P> <P>I want to create a table like this:</P> <PRE><CODE>testNUM connBlock stat_coord AFKE-232322 500 A345 AFKE-232322 600 A3422 AFKE-232322 700 B2434 AFKE-232322 800 C745 ... I also have different tests AFBE-228322 500 A345 AFBE-228322 600 D3422 AFCE-005322 700 B2434 </CODE></PRE> <P>When I try to do a table, I get the table below, and the stat_coord, connBlock appear in the same row than the testNum.</P> <PRE><CODE>testNUM connBlock stat_coord AFKE-232322 500 A345 600 A3422 700 B2434 800 C745 AFBE-228322 500 A345 600 D3422 AFCE-005322 500 B2434 </CODE></PRE> <P>The reason for separating the fields is that I want to do a query like the one below and get the sta_coord or the connector based on a testNum and connBlock of an event.</P> <P>index=.... | search testNum=AFKE-232322 connBlock=600</P> Tue, 02 May 2023 19:05:13 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344772#M39831 edrivera3 2023-05-02T19:05:13Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344773#M39832 <P>Hi edrivera3. I've experienced these types of scenarios before and man. What a doozie. You may want to try to use the mvexpand on those fields if they are already considered multivalue. In some scenarios you may need to make the field a mv field first using the makemv command and then piping out to mvexpand. Try your search| mvexpand connBlock |mvexpand stat_coord. Here a link to a similar mv solution which may help as well: <A href="https://answers.splunk.com/answers/25653/mvexpand-multiple-multi-value-fields.html">https://answers.splunk.com/answers/25653/mvexpand-multiple-multi-value-fields.html</A></P> <P>If this doesn't work let me know and id be happy to further assist. Happy splunking!</P> Fri, 09 Mar 2018 23:34:06 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344773#M39832 damiensurat 2018-03-09T23:34:06Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344774#M39833 <P>Ahhbone last thing. Check example 3 in the splunk mvexpand command doc<BR /><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand</A></P> Fri, 09 Mar 2018 23:39:25 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344774#M39833 damiensurat 2018-03-09T23:39:25Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344775#M39834 <P>Thanks. I think this is the solution, but the results gets truncated. I actually have 5 different multi-value fields.</P> Sat, 10 Mar 2018 00:13:10 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344775#M39834 edrivera3 2018-03-10T00:13:10Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344776#M39835 <P>Did you use limit=0 argument.</P> <PRE><CODE>limit Syntax: limit= Description: Specify the number of values of to use for each input event. Default: 0, or no limit </CODE></PRE> Sat, 10 Mar 2018 00:55:48 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344776#M39835 strive 2018-03-10T00:55:48Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344777#M39836 <P>Hi edrivera3,</P> <P>You can use mvexpand with eval to do this. </P> <P>Here is the sample query for you.</P> <P>Your base query<BR /> | eval tagged=mvzip(testNUM, connBlock) <BR /> | mvexpand tagged <BR /> | makemv tagged delim="," <BR /> | eval testNUM=mvindex(tagged,0) <BR /> | eval connBlock=mvindex(tagged,1) <BR /> | table *</P> <P>Hopefully this will get you what your expecting to do.</P> <P>Cheers!</P> Mon, 12 Mar 2018 08:34:08 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344777#M39836 fz 2018-03-12T08:34:08Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344778#M39837 <P>damientsurat: Your solution is correct and it's the same as the one provided by fz. Do you want me accept your answer? If so, please write an answer with the solution. If you are not interested I'm going to accept fz's answer.</P> Mon, 12 Mar 2018 18:41:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/344778#M39837 edrivera3 2018-03-12T18:41:43Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/580488#M47550 <P>Thanks a lot <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> !</P> Mon, 10 Jan 2022 16:54:56 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/580488#M47550 mihai_T 2022-01-10T16:54:56Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/642044#M52441 <P>Thanks so much for this! Also fixed my similar issues! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> Tue, 02 May 2023 17:32:11 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-separate-multi-value-field-in-individual-fields/m-p/642044#M52441 clehw 2023-05-02T17:32:11Z