topic Splitting a multivalue field on carreige return in Splunk Search https://community.splunk.com/t5/Splunk-Search/Splitting-a-multivalue-field-on-carreige-return/m-p/417536#M169218 <P>good morning, <BR /> I am in the process of breaking out data from a data source that in one field contains a list of similar data for a single device (example below).</P> <P>example:<BR /> (app | version\napp |version\n....)</P> <P>I have been trying to use a split command using \n as the delimiter and that seems to be working, but when I try to expand the events, only a fraction of the events return. I have included a sample of the code i've been using for your review.</P> <P>.....|eval new=split(_raw,"\n") |mvexpand new</P> <P>This seems pretty straight forward, but it doesn't throw an error and it does bring back data, but a small fraction of the what the total should be. </P> <P>Any suggestions would be greatly appreciated?</P> Thu, 24 May 2018 14:34:40 GMT jeffsegal 2018-05-24T14:34:40Z Splitting a multivalue field on carreige return https://community.splunk.com/t5/Splunk-Search/Splitting-a-multivalue-field-on-carreige-return/m-p/417536#M169218 <P>good morning, <BR /> I am in the process of breaking out data from a data source that in one field contains a list of similar data for a single device (example below).</P> <P>example:<BR /> (app | version\napp |version\n....)</P> <P>I have been trying to use a split command using \n as the delimiter and that seems to be working, but when I try to expand the events, only a fraction of the events return. I have included a sample of the code i've been using for your review.</P> <P>.....|eval new=split(_raw,"\n") |mvexpand new</P> <P>This seems pretty straight forward, but it doesn't throw an error and it does bring back data, but a small fraction of the what the total should be. </P> <P>Any suggestions would be greatly appreciated?</P> Thu, 24 May 2018 14:34:40 GMT https://community.splunk.com/t5/Splunk-Search/Splitting-a-multivalue-field-on-carreige-return/m-p/417536#M169218 jeffsegal 2018-05-24T14:34:40Z Re: Splitting a multivalue field on carreige return https://community.splunk.com/t5/Splunk-Search/Splitting-a-multivalue-field-on-carreige-return/m-p/417537#M169219 <P>Try like this</P> <PRE><CODE>....| eval new=_raw | eval new=split(new,"\\n") |mvexpand new </CODE></PRE> <P>OR (if above doesn't work)</P> <PRE><CODE>--- | eval new=replace(_raw,"[\r\n]+","##LBreak##") | makemv new delim="##LBreak##" | mvexpand new </CODE></PRE> Thu, 24 May 2018 16:28:35 GMT https://community.splunk.com/t5/Splunk-Search/Splitting-a-multivalue-field-on-carreige-return/m-p/417537#M169219 somesoni2 2018-05-24T16:28:35Z