Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Expanding CSV to a Multi-Valued Field

jbp4444
Path Finder
‎06-22-2011 08:44 AM

I have a comma-separated list of 3 random values in a field called randlist (syslog-like entries):

Jun 22 10:39:46 bdgpu-login-01 randtest[19726]: xid=1308753586 rand3=2 rand1=0.147066939336213 randlist=0.147066939336213,7.29877393854405,2 rand2=7.29877393854405

I'd like to grab the randlist field and break it into a multi-valued field. For now, there are 3 fields, but it could be a variable-sized list in the future.

I.e. I'd like randlist | ..something.. | eval c=mvcount(randlist) to produce a value of 3 (three items in the list)

Tags (2)
0 Karma
Reply

jbp4444
Path Finder
‎06-22-2011 10:13 AM

unless randlist is itself not getting the comma-separated list? i.e. the last column in the above output suggests randlist is a single number. The original syslog line definitely has the comma-sep list.

0 Karma
Reply

jbp4444
Path Finder
‎06-22-2011 10:12 AM

Hmm, seems like that should work ... but I don't get multiple values:

 randlist | eval r=split(randlist,",") | eval c=mvcount(r) | table _time c r*

the output shows:
_time c r rand1 rand2 rand3 randlist

6/22/11 1:12:47.000 PM 1 0.544830349649022 0.544830349649022 4.65601461737279 3 0.544830349649022

6/22/11 1:11:47.000 PM 1 0.570239085771959 0.570239085771959 4.57874341757059 5 0.570239085771959

6/22/11 1:10:47.000 PM 1 0.284757352089141 0.284757352089141 5.87026520381151 1 0.284757352089141

So only the first entry of randlist is being captured (I get the same result if I put "randlist=split(randlist..." in there too). Tried adding 'mvexpand randlist' .. also didn't seem to help.

0 Karma
Reply

southeringtonp
Motivator
‎06-22-2011 09:53 AM

If you already have randlist extracted, and you're using Splunk 4.1 or higher, you can use split():

| eval randlist=split(randlist, ",")

For older Splunk versions, use rex.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...