Splunk Search

Extract multiple values from a single field into multiple unique fields

alex387
New Member

Hello,

Is there a way to split out the unique values of a field into separate fields that are returned after a search?

For example, my search returns the following syslog messages
Login Success from 1.1.1.1
Login Failed from 2.2.2.2
Login Failed from 1.1.1.1

Splunk has extracted the following field "field 1" which contains the "Success" and "Failed" string values

Is there a way (preferably eval command) to extract these values into there own unique fields, i.e field2=Failed, field3=Success

This is so I can use a table command like the following
| table ip, field1, field2, field3

Thank you

Tags (1)
0 Karma

thesplunkmonkey
Path Finder

Hey @alex387, just following up to see if you got the answer you need.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I agree with @adonio about this request not making a lot of sense. However, here's one way to do it.

... | eval field2 = if(field1=="Success", field1, NULL), field3 = if(field1=="Failed", field1, NULL)
---
If this reply helps you, Karma would be appreciated.
0 Karma

thesplunkmonkey
Path Finder

There's other ways to do this, but here's one possibility for you --

Based on your sample data, it seems you would know the possible values ahead of time. If that's the case, you could use an eval to assign the value to a field you want.

... | eval field2=if(field1 == "Failed", field1, "") | eval field3=if(field1 == "Success", field1, "") | table ip field2 field3

This would give you the following, given the data you provided.

ip            field2       field3
1.1.1.1                    Success
2.2.2.2       Failed
1.1.1.1       Failed
0 Karma

adonio
Ultra Champion

why would you want that?
the entire idea is to be able to put different values in fields so you can perform functions and statistics on them
a single value to a field is almost meaningless ...
you can always do your query with table, but i think you probably have a question regarding your data ...
think about this / those question/s articulate them, and write the query that will answer it.
also, i recommend to read at docs.splunk.com regarding fields, extractions, and data on-boarding

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...