Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multivalue field to multiple fields

yurykiselev
Path Finder
‎04-11-2018 06:34 AM

Hi!
How to split multivalue field, e.g. JSON array elements (value😞

{
  "id": 4321,
  "value": [
   5, 6, 7, 8
  ]
}

.

id     | value
4321     5 6 7 8

to multiple fileds with some index remaining one event:

id     | value_0 | value_1 | value_2 | value_3
4321     5         6         7         8

Thank you!

Tags (1)
0 Karma
Reply

niketn
Legend
‎04-13-2018 10:12 AM

@yurykiselev, please try the following run anywhere search which mimics two JSON data one with 4 values and another with three. The commands from | makeresults till | fields - _raw _time generates the dummy data, instead of which you would need to use your current search.

|  makeresults
|  eval _raw=" {
   \"id\": 4321,
   \"value\": [
    5, 6, 7, 8
   ]
 }"
 | append 
    [|  makeresults
|  eval _raw=" {
   \"id\": 1234,
   \"value\": [
    1, 2, 3
   ]
 }"]
 |  spath
 |  fields - _raw _time
 |  rename "value{}" as value
 |  eval values_count=mvcount(value)+1
 |  eval counter=mvrange(1,values_count)
 |  eval value=mvzip(value,counter)
 |  fields - counter values_count
 |  mvexpand value
 |  eval value=split(value,",")
 |  eval counter="value_".mvindex(value,1),value=mvindex(value,0)
 |  chart values(value) by id counter
 |  fillnull value=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

niketn
Legend
‎04-11-2018 07:13 AM

@yurykiselev, would there be 4 values under value list or it can be any number of values?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

yurykiselev
Path Finder
‎04-13-2018 04:04 AM

It can be any

0 Karma
Reply

p_gurav
Champion
‎04-11-2018 07:06 AM

Can you try :

| makeresults | eval abc="5 6 7 8"|eval temp=split(abc," ") | eval mv1 = mvindex(temp, 0) | eval mv2 = mvindex(temp, 1) | eval mv3 = mvindex(temp, 2) | eval mv4 = mvindex(temp, 3)
0 Karma
Reply

yurykiselev
Path Finder
‎04-12-2018 01:16 AM

It's good idea:

eval mv1 = mvindex(temp, 0) | eval mv2 = mvindex(temp, 1) | eval mv3 = mvindex(temp, 2) | eval mv4 = mvindex(temp, 3)

, but size of value is variable and I need to create mv1..n dynamically

0 Karma
Reply

damien_chillet
Builder
‎04-11-2018 06:46 AM

Depends on the consistency of the value field but if it's always 4 numbers you could use something like this:

| rex field=value "(?P<value_0>\d+)\s(?P<value_1>\d+)\s(?P<value_2>\d+)\s(?P<value_3>\d+)"
0 Karma
Reply
Get Updates on the Splunk Community!

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Top