Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Expanding CSV to a Multi-Valued Field

jbp4444
Path Finder
‎06-22-2011 08:44 AM

I have a comma-separated list of 3 random values in a field called randlist (syslog-like entries):

Jun 22 10:39:46 bdgpu-login-01 randtest[19726]: xid=1308753586 rand3=2 rand1=0.147066939336213 randlist=0.147066939336213,7.29877393854405,2 rand2=7.29877393854405

I'd like to grab the randlist field and break it into a multi-valued field. For now, there are 3 fields, but it could be a variable-sized list in the future.

I.e. I'd like randlist | ..something.. | eval c=mvcount(randlist) to produce a value of 3 (three items in the list)

Tags (2)
0 Karma
Reply

jbp4444
Path Finder
‎06-22-2011 10:13 AM

unless randlist is itself not getting the comma-separated list? i.e. the last column in the above output suggests randlist is a single number. The original syslog line definitely has the comma-sep list.

0 Karma
Reply

jbp4444
Path Finder
‎06-22-2011 10:12 AM

Hmm, seems like that should work ... but I don't get multiple values:

 randlist | eval r=split(randlist,",") | eval c=mvcount(r) | table _time c r*

the output shows:
_time c r rand1 rand2 rand3 randlist

6/22/11 1:12:47.000 PM 1 0.544830349649022 0.544830349649022 4.65601461737279 3 0.544830349649022

6/22/11 1:11:47.000 PM 1 0.570239085771959 0.570239085771959 4.57874341757059 5 0.570239085771959

6/22/11 1:10:47.000 PM 1 0.284757352089141 0.284757352089141 5.87026520381151 1 0.284757352089141

So only the first entry of randlist is being captured (I get the same result if I put "randlist=split(randlist..." in there too). Tried adding 'mvexpand randlist' .. also didn't seem to help.

0 Karma
Reply

southeringtonp
Motivator
‎06-22-2011 09:53 AM

If you already have randlist extracted, and you're using Splunk 4.1 or higher, you can use split():

| eval randlist=split(randlist, ",")

For older Splunk versions, use rex.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...