Solved: Re: How to get total comma separated values in spl...

ajayabburi508 · ‎05-22-2018

Hi all,

I am getting event like this

Im trying to get total values with the comma separated but I am not getting them.

I have written this basic query:

index="****"  var=***| head 1 | table val

But it is not working, please help me out.

ajayabburi508 · ‎05-22-2018

index="****"  var=***| head 1|eval new=_raw | eval neew=split(new,"var=***,val=")| table neew | makemv delim="," neew|mvexpand neew |streamstats count | where count!=1 | fields - count

View solution in original post

ajayabburi508 · ‎05-22-2018

index="****"  var=***| head 1|eval new=_raw | eval neew=split(new,"var=***,val=")| table neew | makemv delim="," neew|mvexpand neew |streamstats count | where count!=1 | fields - count

mayurr98 · ‎05-22-2018

can you share one sample event of your raw data?
Also try this

index="" var=* 
| head 1 
| table val 
| rex field=val mode=sed "s/val\=//g"

let me know if this helps!

xpac · ‎05-22-2018

For the example event you showed us - what would be your desired result?

ajayabburi508 · ‎05-22-2018

i want out put like this

val
972,972,972,972,972,972,972,972..............................

How to get total comma separated values in splunk?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector