topic Re: Eval from Multivalue field in Splunk Search

Help with Eval from Multivalue field?

ff170a — Tue, 08 Nov 2022 16:03:58 GMT

I have a dataset with a multiline field called Logs. The field typically has values like the below,

"mId": "Null", "deviceID": "a398Z389j", "cSession": "443", "cWeb": "443", "uWeb": "Mixed", "s": "Steak", "Ing": [ "1-555-5555555", "1-888-8888888" ], "Sem": [ "Warehouse@Forest.box" ]

I'd like to make it so I can identify the values within "Ing" and easily search where a specific value is in "Ing" for other events. I was able to break it out and split on the comma and then look at the index number 6 but this only returns the 1st item, where in most events there are multiple (upwards of 10) items.

| eval a = mvindex(split(Logs,","), 6) "Ing": [ "1-555-5555555"

Thoughts on how to get a complete list of the items in Ing?

Re: Eval from Multivalue field

johnhuang — Tue, 08 Nov 2022 02:00:34 GMT

Assuming that Ing values are always formatted as a phone number:

| rex field=Logs "\"(?<ing_values>\d\-\d{3}\-\d+)\"" | eval ing_6=MVINDEX(ing_values, 6)

Re: Eval from Multivalue field

ff170a — Tue, 08 Nov 2022 02:15:05 GMT

Thanks for the response. The numbers do appear in a phone number format, but are not phone numbers.

If I use that rex on my data, I only get the first item in the ing field, and not all of the items, which is what I am trying to gather.

Re: Eval from Multivalue field

ff170a — Tue, 08 Nov 2022 02:23:08 GMT

Adding a max_match=10 resolved that issue. Looks like I got what I need. Thanks!