https://community.splunk.com/t5/Splunk-Search/Extract-multiple-values-from-a-single-field-into-multiple-unique/m-p/467221#M191879 <P>Hey @alex387, just following up to see if you got the answer you need.</P> Fri, 13 Sep 2019 20:42:16 GMT thesplunkmonkey 2019-09-13T20:42:16Z https://community.splunk.com/t5/Splunk-Search/Extract-multiple-values-from-a-single-field-into-multiple-unique/m-p/467217#M191875 <P>Hello,</P> <P>Is there a way to split out the unique values of a field into separate fields that are returned after a search?</P> <P>For example, my search returns the following syslog messages<BR /> Login Success from 1.1.1.1<BR /> Login Failed from 2.2.2.2<BR /> Login Failed from 1.1.1.1</P> <P>Splunk has extracted the following field "field 1" which contains the "Success" and "Failed" string values</P> <P>Is there a way (preferably eval command) to extract these values into there own unique fields, i.e field2=Failed, field3=Success</P> <P>This is so I can use a table command like the following<BR /> | table ip, field1, field2, field3</P> <P>Thank you</P> Tue, 03 Sep 2019 00:14:11 GMT https://community.splunk.com/t5/Splunk-Search/Extract-multiple-values-from-a-single-field-into-multiple-unique/m-p/467217#M191875 alex387 2019-09-03T00:14:11Z https://community.splunk.com/t5/Splunk-Search/Extract-multiple-values-from-a-single-field-into-multiple-unique/m-p/467218#M191876 <P>why would you want that?<BR /> the entire idea is to be able to put different values in fields so you can perform functions and statistics on them<BR /> a single value to a field is almost meaningless ...<BR /> you can always do your query with table, but i think you probably have a question regarding your data ...<BR /> think about this / those question/s articulate them, and write the query that will answer it.<BR /> also, i recommend to read at docs.splunk.com regarding fields, extractions, and data on-boarding</P> Tue, 03 Sep 2019 03:47:23 GMT https://community.splunk.com/t5/Splunk-Search/Extract-multiple-values-from-a-single-field-into-multiple-unique/m-p/467218#M191876 adonio 2019-09-03T03:47:23Z https://community.splunk.com/t5/Splunk-Search/Extract-multiple-values-from-a-single-field-into-multiple-unique/m-p/467219#M191877 <P>There's other ways to do this, but here's one possibility for you --</P> <P>Based on your sample data, it seems you would know the possible values ahead of time. If that's the case, you could use an eval to assign the value to a field you want.</P> <PRE><CODE>... | eval field2=if(field1 == "Failed", field1, "") | eval field3=if(field1 == "Success", field1, "") | table ip field2 field3 </CODE></PRE> <P>This would give you the following, given the data you provided.</P> <PRE><CODE>ip field2 field3 1.1.1.1 Success 2.2.2.2 Failed 1.1.1.1 Failed </CODE></PRE> Tue, 03 Sep 2019 16:24:20 GMT https://community.splunk.com/t5/Splunk-Search/Extract-multiple-values-from-a-single-field-into-multiple-unique/m-p/467219#M191877 thesplunkmonkey 2019-09-03T16:24:20Z https://community.splunk.com/t5/Splunk-Search/Extract-multiple-values-from-a-single-field-into-multiple-unique/m-p/467220#M191878 <P>I agree with @adonio about this request not making a lot of sense. However, here's one way to do it.</P> <PRE><CODE>... | eval field2 = if(field1=="Success", field1, NULL), field3 = if(field1=="Failed", field1, NULL) </CODE></PRE> Tue, 03 Sep 2019 19:30:19 GMT https://community.splunk.com/t5/Splunk-Search/Extract-multiple-values-from-a-single-field-into-multiple-unique/m-p/467220#M191878 richgalloway 2019-09-03T19:30:19Z https://community.splunk.com/t5/Splunk-Search/Extract-multiple-values-from-a-single-field-into-multiple-unique/m-p/467221#M191879 <P>Hey @alex387, just following up to see if you got the answer you need.</P> Fri, 13 Sep 2019 20:42:16 GMT https://community.splunk.com/t5/Splunk-Search/Extract-multiple-values-from-a-single-field-into-multiple-unique/m-p/467221#M191879 thesplunkmonkey 2019-09-13T20:42:16Z