Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract multiple values from a single field into multiple unique fields

alex387
New Member
‎09-02-2019 05:14 PM

Hello,

Is there a way to split out the unique values of a field into separate fields that are returned after a search?

For example, my search returns the following syslog messages
Login Success from 1.1.1.1
Login Failed from 2.2.2.2
Login Failed from 1.1.1.1

Splunk has extracted the following field "field 1" which contains the "Success" and "Failed" string values

Is there a way (preferably eval command) to extract these values into there own unique fields, i.e field2=Failed, field3=Success

This is so I can use a table command like the following
| table ip, field1, field2, field3

Thank you

Tags (1)
0 Karma
Reply

thesplunkmonkey
Path Finder
‎09-13-2019 01:42 PM

Hey @alex387, just following up to see if you got the answer you need.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-03-2019 12:30 PM

I agree with @adonio about this request not making a lot of sense. However, here's one way to do it.

... | eval field2 = if(field1=="Success", field1, NULL), field3 = if(field1=="Failed", field1, NULL)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

thesplunkmonkey
Path Finder
‎09-03-2019 09:24 AM

There's other ways to do this, but here's one possibility for you --

Based on your sample data, it seems you would know the possible values ahead of time. If that's the case, you could use an eval to assign the value to a field you want.

... | eval field2=if(field1 == "Failed", field1, "") | eval field3=if(field1 == "Success", field1, "") | table ip field2 field3

This would give you the following, given the data you provided.

ip            field2       field3
1.1.1.1                    Success
2.2.2.2       Failed
1.1.1.1       Failed
0 Karma
Reply

adonio
Ultra Champion
‎09-02-2019 08:47 PM

why would you want that?
the entire idea is to be able to put different values in fields so you can perform functions and statistics on them
a single value to a field is almost meaningless ...
you can always do your query with table, but i think you probably have a question regarding your data ...
think about this / those question/s articulate them, and write the query that will answer it.
also, i recommend to read at docs.splunk.com regarding fields, extractions, and data on-boarding

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...