topic Re: How to split a field into multiple fields? in Splunk Search

How to split a field into multiple fields?

Minarai — Thu, 30 Mar 2023 07:39:53 GMT

Hi.

Lets say there are fields named "raw".

The values are like this.

http-header1=value1|http-header2=value2..

Number of HTTP Headers is 1 to 4.

ex)

METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg

I'd like to split this field into multiple fields like this.

field | value
----------------------+--------------
raw_http_header1 | value1
raw_http_header2 | value2

...

ex)

field | value

----------------------+--------------

raw_METHOD | POST

raw_User_Agent | Mozilla

raw_HTTP_CONTENT | img/jpeg

...

Notice field name cannot contain "-".

Re: Split a field into multiple fields

bowesmana — Thu, 30 Mar 2023 04:07:38 GMT

Did you want something like this

which from the "extract" will create the field/value pairs and make two columns field and value

or did you want a single piece of text with the value separated with a pipe symbol

Re: Split a field into multiple fields

bowesmana — Thu, 30 Mar 2023 04:10:18 GMT

i.e. this variant

Re: Split a field into multiple fields

Minarai — Thu, 30 Mar 2023 05:43:31 GMT

Thanks for your reply.

What you showed was really good,

but I want add these fields to search result by using eval command or something.

I want add "rawdata_method" field whose value is "POST".

Regards

Re: How to split a field into multiple fields?

ITWhisperer — Thu, 30 Mar 2023 07:45:10 GMT

Re: How to split a field into multiple fields?

Minarai — Thu, 30 Mar 2023 14:15:11 GMT

Thanks a lot!

Sorry to bother you, but is there any way without using mvexpand?

When you use mvexpand, events are created separately,right?

I want add fields to oridinal event.

Re: How to split a field into multiple fields?

ITWhisperer — Thu, 30 Mar 2023 14:20:29 GMT

Re: How to split a field into multiple fields?

Minarai — Sat, 01 Apr 2023 13:54:34 GMT

Thank you for reply!

What I showed you as example was not good.

There are events like this.

index=index_main | table eventID,raw

eventID	raw
1	METHOD=POST\|User-Agent=Mozilla\|HTTP-CONTENT=img/jpeg
2	METHOD=GET\|Referer=http://192.168.0.1
3	METHOD=POST\|X-Forwarded-For=10.0.0.1\|User-Agent=Firefox

The wanted result is like this.
I want to create new field which name is related http header.

eventID2 does not have User-Agent Header, so you do not add raw_User_Agent field.

... | table eventID,raw*

eventID	raw	raw_METHOD	raw_User_Agent	raw_HTTP_CONTENT	raw_Referer	raw_X_Forwarded_For
1	METHOD=POST\|User-Agent=Mozilla\|HTTP-CONTENT=img/jpeg	POST	Mozilla	img/jpeg
2	METHOD=GET\|Referer=http://192.168.0.1	GET			http://192.168.0.1
3	METHOD=POST\|X-Forwarded-For=10.0.0.1\|User-Agent=Firefox	POST	Firefox			10.0.0.1

Re: How to split a field into multiple fields?

ITWhisperer — Sat, 01 Apr 2023 14:03:51 GMT

raw_User_Agent is null for eventID 2

This is how tables work! You have rows and columns. Where there is a value for the column it is shown for that row. The cell (row x column) doesn't simply disappear if there is not value to be shown, it is just blank.