https://community.splunk.com/t5/Splunk-Search/makemv-and-mvindex-not-working-as-expected/m-p/549703#M155998 <P>I am working with JSON data type events and am trying to extract the username (user1, user2) from the pathspec data structure in my events (sample below) :<BR /><BR /><SPAN>"</SPAN><SPAN class="t">pathspec</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> {"</SPAN><SPAN class="t">__type__</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">PathSpec</SPAN><SPAN>", "</SPAN><SPAN class="t h">location</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">/media/APA_windows/Users/user1/AppData/Local/Microsoft/Windows/UsrClass.dat</SPAN><SPAN>", "</SPAN><SPAN class="t">type_indicator</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">OS</SPAN><SPAN>"}</SPAN><BR /><BR /><SPAN>"</SPAN><SPAN class="t">pathspec</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> {"</SPAN><SPAN class="t">__type__</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">PathSpec</SPAN><SPAN>", "</SPAN><SPAN class="t h">location</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">/media/APA_windows/Users/user2/AppData/Local/Microsoft/Windows/UsrClass.dat</SPAN><SPAN>", "</SPAN><SPAN class="t">type_indicator</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">OS</SPAN><SPAN>"}<BR /><BR /></SPAN><STRONG>I am using the below SPL</STRONG>&nbsp;to split up pathspec.location into a multi value field and then use mvindex :&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">..... | makemv delim="/" pathspec.location | eval user_name = mvindex(pathspec.location, 3) </LI-CODE><P>&nbsp;</P><P><BR />However when I table out the user_name field it does not show any results. Not sure why this is not working. Any suggestions would be helpful&nbsp;<BR /><BR />Desired output from the user_name field would be&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">user1 user2 . . . . .</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 28 Apr 2021 23:05:00 GMT ankit 2021-04-28T23:05:00Z https://community.splunk.com/t5/Splunk-Search/makemv-and-mvindex-not-working-as-expected/m-p/549703#M155998 <P>I am working with JSON data type events and am trying to extract the username (user1, user2) from the pathspec data structure in my events (sample below) :<BR /><BR /><SPAN>"</SPAN><SPAN class="t">pathspec</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> {"</SPAN><SPAN class="t">__type__</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">PathSpec</SPAN><SPAN>", "</SPAN><SPAN class="t h">location</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">/media/APA_windows/Users/user1/AppData/Local/Microsoft/Windows/UsrClass.dat</SPAN><SPAN>", "</SPAN><SPAN class="t">type_indicator</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">OS</SPAN><SPAN>"}</SPAN><BR /><BR /><SPAN>"</SPAN><SPAN class="t">pathspec</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> {"</SPAN><SPAN class="t">__type__</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">PathSpec</SPAN><SPAN>", "</SPAN><SPAN class="t h">location</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">/media/APA_windows/Users/user2/AppData/Local/Microsoft/Windows/UsrClass.dat</SPAN><SPAN>", "</SPAN><SPAN class="t">type_indicator</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">OS</SPAN><SPAN>"}<BR /><BR /></SPAN><STRONG>I am using the below SPL</STRONG>&nbsp;to split up pathspec.location into a multi value field and then use mvindex :&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">..... | makemv delim="/" pathspec.location | eval user_name = mvindex(pathspec.location, 3) </LI-CODE><P>&nbsp;</P><P><BR />However when I table out the user_name field it does not show any results. Not sure why this is not working. Any suggestions would be helpful&nbsp;<BR /><BR />Desired output from the user_name field would be&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">user1 user2 . . . . .</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 28 Apr 2021 23:05:00 GMT https://community.splunk.com/t5/Splunk-Search/makemv-and-mvindex-not-working-as-expected/m-p/549703#M155998 ankit 2021-04-28T23:05:00Z https://community.splunk.com/t5/Splunk-Search/makemv-and-mvindex-not-working-as-expected/m-p/549707#M155999 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232611">@ankit</a>&nbsp;</P><P>Field names containing special characters should be surrounded with single quotes when used in eval expressions:</P><P>| eval user_name =&nbsp;mvindex('pathspec.location', 3)</P> Wed, 28 Apr 2021 23:17:24 GMT https://community.splunk.com/t5/Splunk-Search/makemv-and-mvindex-not-working-as-expected/m-p/549707#M155999 tscroggins 2021-04-28T23:17:24Z https://community.splunk.com/t5/Splunk-Search/makemv-and-mvindex-not-working-as-expected/m-p/549711#M156000 <P>Awesome ! That worked&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49493">@tscroggins</a>&nbsp;! Thanks a lot for helping out.&nbsp;<BR />Could you point me to a link, if possible, to what Splunk considers as special characters ?&nbsp;<BR /><BR /></P> Wed, 28 Apr 2021 23:28:16 GMT https://community.splunk.com/t5/Splunk-Search/makemv-and-mvindex-not-working-as-expected/m-p/549711#M156000 ankit 2021-04-28T23:28:16Z https://community.splunk.com/t5/Splunk-Search/makemv-and-mvindex-not-working-as-expected/m-p/549716#M156002 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232611">@ankit</a>&nbsp;</P><P>The exact wording in documentation [1] (emphasis Splunk's):</P><P class="lia-indent-padding-left-30px">If the expression references a <STRONG>field name</STRONG> that contains non-alphanumeric characters, other than the underscore ( _ ) character, the field name needs to be surrounded by s<STRONG>ingle quotation marks</STRONG>. For example, if the field name is <STRONG>server-1</STRONG> you specify the field name like this <STRONG>new=count+'server-1'</STRONG>.</P><P>I.e. Any character other then 0-9, A-Z, a-z, and _.</P><P>1.&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Eval" target="_self">https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Eval</A></P> Wed, 28 Apr 2021 23:41:50 GMT https://community.splunk.com/t5/Splunk-Search/makemv-and-mvindex-not-working-as-expected/m-p/549716#M156002 tscroggins 2021-04-28T23:41:50Z