Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Expanding CSV to a Multi-Valued Field

jbp4444
Path Finder
‎06-22-2011 08:44 AM

I have a comma-separated list of 3 random values in a field called randlist (syslog-like entries):

Jun 22 10:39:46 bdgpu-login-01 randtest[19726]: xid=1308753586 rand3=2 rand1=0.147066939336213 randlist=0.147066939336213,7.29877393854405,2 rand2=7.29877393854405

I'd like to grab the randlist field and break it into a multi-valued field. For now, there are 3 fields, but it could be a variable-sized list in the future.

I.e. I'd like randlist | ..something.. | eval c=mvcount(randlist) to produce a value of 3 (three items in the list)

Tags (2)
0 Karma
Reply

jbp4444
Path Finder
‎06-22-2011 10:13 AM

unless randlist is itself not getting the comma-separated list? i.e. the last column in the above output suggests randlist is a single number. The original syslog line definitely has the comma-sep list.

0 Karma
Reply

jbp4444
Path Finder
‎06-22-2011 10:12 AM

Hmm, seems like that should work ... but I don't get multiple values:

 randlist | eval r=split(randlist,",") | eval c=mvcount(r) | table _time c r*

the output shows:
_time c r rand1 rand2 rand3 randlist

6/22/11 1:12:47.000 PM 1 0.544830349649022 0.544830349649022 4.65601461737279 3 0.544830349649022

6/22/11 1:11:47.000 PM 1 0.570239085771959 0.570239085771959 4.57874341757059 5 0.570239085771959

6/22/11 1:10:47.000 PM 1 0.284757352089141 0.284757352089141 5.87026520381151 1 0.284757352089141

So only the first entry of randlist is being captured (I get the same result if I put "randlist=split(randlist..." in there too). Tried adding 'mvexpand randlist' .. also didn't seem to help.

0 Karma
Reply

southeringtonp
Motivator
‎06-22-2011 09:53 AM

If you already have randlist extracted, and you're using Splunk 4.1 or higher, you can use split():

| eval randlist=split(randlist, ",")

For older Splunk versions, use rex.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...