topic Re: Splitting a multi-valued field in Splunk Search

Splitting a multi-valued field

jaterlwj — Thu, 19 Jul 2012 03:42:33 GMT

I was wondering if there's any possible way to split up a multi-valued field using Splunk.

For example. I have field called "classifications" and it looks like this.

classifications = 1;2;3;4;5;6

Is there any way to split it so that when I search "classifications=2" it would understand and show accordingly?

Thanks in advance!

Re: Splitting a multi-valued field

csharp_splunk — Thu, 19 Jul 2012 04:00:07 GMT

Easy.

<whatever search> | eval splitted=split(classifications, ";") | search splitted=<value>

Substitute field names as you see fit.

Re: Splitting a multi-valued field

jaterlwj — Thu, 19 Jul 2012 07:31:39 GMT

Hi. Thanks for your prompt reply!
I have tried to replace the with 1 but it does not return any results. Is there anything I'm missing? I am assuming it's just 1 and not "1" or <1> for the values at the moment!

Re: Splitting a multi-valued field

melonman — Fri, 20 Jul 2012 14:20:51 GMT

I am not sure if this is good solution for you, but I had a similar situation where I needed to get the splitted values from multivalued fields.

Basicly the way to split the multivalued field was the same as the one posted by csharp_splunk.
This was how I tested and is messy, but it worked.

* | head 1 | eval classifications = "1;2;3;4;5;6" | makemv delim=";" classifications | top classifications | fields classifications | search classifications=2

This returns 2 only.

The part:

* | head 1 | eval classifications = "1;2;3;4;5;6"

is just to create dummy fields...

Re: Splitting a multi-valued field

jrodman — Fri, 20 Jul 2012 14:44:13 GMT

I'd use the left-hand side inspector to show the values of splitted in results, to get a better idea the behavior you're getting.

Re: Splitting a multi-valued field

jaterlwj — Tue, 24 Jul 2012 01:49:00 GMT

I'm sorry, I lost you there. By left-hand side inspector, do you mean the search terms?

Re: Splitting a multi-valued field

jaterlwj — Tue, 24 Jul 2012 05:06:39 GMT

I'm not sure what am I missing.. Similar to csharp_splunk's method. I can't get it to work properly.

My records usually either starts with a 0(0;1;2;3) or 2(2;3;4;5) etc.

So after splitting, when I tried to list them out using stats count classifications. They only showed 0 and 2.

Is it normal? I can't seem to search for values either.

Re: Splitting a multi-valued field

rps462 — Thu, 03 Sep 2015 21:22:44 GMT

I have a field that has: value1,value2,value3. I was using split: split_value=split(field, ",")

Afterwards, however, I was not able to search on just one of the items. My search string:

| eval values=split(field, ",") | search values=foo**
This search would show all of the results of values, instead of just foo.

Using the makemv delim method, it works. Weird ...

Re: Splitting a multi-valued field

rps462 — Thu, 03 Sep 2015 21:25:59 GMT

pfft .. nevermind, it does the same thing - this is driving me crazy. I cannot restrict the search to certain elements of a field after a split.

Re: Splitting a multi-valued field

gokadroid — Fri, 07 Oct 2016 03:04:29 GMT

the left hand side inspector i suppose is the side panel where all interesting and extracted fields show up.

Re: Splitting a multi-valued field

cmerriman — Fri, 07 Oct 2016 15:58:48 GMT

I run into this problem and have a rough work around. I have to create an mv field using values for a paticular reason, and then match a substring of that value to another field.

...|stats values(field) as fieldname by sourcetype 
| nomv fieldname
|rex mode=sed field=fieldname "s/ /,/g"
|rex mode=sed field=fieldname "s/^/,/"
|rex mode=sed field=fieldname "s/$/,/" 
|eval match=if(isnotnull(match(fieldname,",".matchfield.","),1,0)

I realize this isn't EXACTLY what you need to do, but it might help start you off. I did a nomv to get it into one row and then replaced my spaces with commas, however it looks like you're already ; delimited so you're a few steps ahead of me. You might be able to get by with just doing something along the lines of

...|eval match=if(isnotnull(match(fieldname,";".2.";"),1,0) |search match=1