Getting Data In

Expanding CSV to a Multi-Valued Field

jbp4444
Path Finder

I have a comma-separated list of 3 random values in a field called randlist (syslog-like entries):

Jun 22 10:39:46 bdgpu-login-01 randtest[19726]: xid=1308753586 rand3=2 rand1=0.147066939336213 randlist=0.147066939336213,7.29877393854405,2 rand2=7.29877393854405  

I'd like to grab the randlist field and break it into a multi-valued field. For now, there are 3 fields, but it could be a variable-sized list in the future.

I.e. I'd like randlist | ..something.. | eval c=mvcount(randlist) to produce a value of 3 (three items in the list)

Tags (2)
0 Karma

jbp4444
Path Finder

unless randlist is itself not getting the comma-separated list? i.e. the last column in the above output suggests randlist is a single number. The original syslog line definitely has the comma-sep list.

0 Karma

jbp4444
Path Finder

Hmm, seems like that should work ... but I don't get multiple values:

 randlist | eval r=split(randlist,",") | eval c=mvcount(r) | table _time c r*

the output shows:
_time c r rand1 rand2 rand3 randlist

6/22/11 1:12:47.000 PM 1 0.544830349649022 0.544830349649022 4.65601461737279 3 0.544830349649022

6/22/11 1:11:47.000 PM 1 0.570239085771959 0.570239085771959 4.57874341757059 5 0.570239085771959

6/22/11 1:10:47.000 PM 1 0.284757352089141 0.284757352089141 5.87026520381151 1 0.284757352089141

So only the first entry of randlist is being captured (I get the same result if I put "randlist=split(randlist..." in there too). Tried adding 'mvexpand randlist' .. also didn't seem to help.

0 Karma

southeringtonp
Motivator

If you already have randlist extracted, and you're using Splunk 4.1 or higher, you can use split():

| eval randlist=split(randlist, ",")

For older Splunk versions, use rex.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...