I have a comma-separated list of 3 random values in a field called randlist
(syslog-like entries):
Jun 22 10:39:46 bdgpu-login-01 randtest[19726]: xid=1308753586 rand3=2 rand1=0.147066939336213 randlist=0.147066939336213,7.29877393854405,2 rand2=7.29877393854405
I'd like to grab the randlist
field and break it into a multi-valued field. For now, there are 3 fields, but it could be a variable-sized list in the future.
I.e. I'd like randlist | ..something.. | eval c=mvcount(randlist)
to produce a value of 3 (three items in the list)
unless randlist is itself not getting the comma-separated list? i.e. the last column in the above output suggests randlist is a single number. The original syslog line definitely has the comma-sep list.
Hmm, seems like that should work ... but I don't get multiple values:
randlist | eval r=split(randlist,",") | eval c=mvcount(r) | table _time c r*
the output shows:
_time c r rand1 rand2 rand3 randlist
6/22/11 1:12:47.000 PM 1 0.544830349649022 0.544830349649022 4.65601461737279 3 0.544830349649022
6/22/11 1:11:47.000 PM 1 0.570239085771959 0.570239085771959 4.57874341757059 5 0.570239085771959
6/22/11 1:10:47.000 PM 1 0.284757352089141 0.284757352089141 5.87026520381151 1 0.284757352089141
So only the first entry of randlist is being captured (I get the same result if I put "randlist=split(randlist..." in there too). Tried adding 'mvexpand randlist' .. also didn't seem to help.
If you already have randlist
extracted, and you're using Splunk 4.1 or higher, you can use split()
:
| eval randlist=split(randlist, ",")
For older Splunk versions, use rex
.