Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multivalue field to multiple fields

yurykiselev
Path Finder
‎04-11-2018 06:34 AM

Hi!
How to split multivalue field, e.g. JSON array elements (value😞

{
  "id": 4321,
  "value": [
   5, 6, 7, 8
  ]
}

.

id     | value
4321     5 6 7 8

to multiple fileds with some index remaining one event:

id     | value_0 | value_1 | value_2 | value_3
4321     5         6         7         8

Thank you!

Tags (1)
0 Karma
Reply

niketn
Legend
‎04-13-2018 10:12 AM

@yurykiselev, please try the following run anywhere search which mimics two JSON data one with 4 values and another with three. The commands from | makeresults till | fields - _raw _time generates the dummy data, instead of which you would need to use your current search.

|  makeresults
|  eval _raw=" {
   \"id\": 4321,
   \"value\": [
    5, 6, 7, 8
   ]
 }"
 | append 
    [|  makeresults
|  eval _raw=" {
   \"id\": 1234,
   \"value\": [
    1, 2, 3
   ]
 }"]
 |  spath
 |  fields - _raw _time
 |  rename "value{}" as value
 |  eval values_count=mvcount(value)+1
 |  eval counter=mvrange(1,values_count)
 |  eval value=mvzip(value,counter)
 |  fields - counter values_count
 |  mvexpand value
 |  eval value=split(value,",")
 |  eval counter="value_".mvindex(value,1),value=mvindex(value,0)
 |  chart values(value) by id counter
 |  fillnull value=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

niketn
Legend
‎04-11-2018 07:13 AM

@yurykiselev, would there be 4 values under value list or it can be any number of values?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

yurykiselev
Path Finder
‎04-13-2018 04:04 AM

It can be any

0 Karma
Reply

p_gurav
Champion
‎04-11-2018 07:06 AM

Can you try :

| makeresults | eval abc="5 6 7 8"|eval temp=split(abc," ") | eval mv1 = mvindex(temp, 0) | eval mv2 = mvindex(temp, 1) | eval mv3 = mvindex(temp, 2) | eval mv4 = mvindex(temp, 3)
0 Karma
Reply

yurykiselev
Path Finder
‎04-12-2018 01:16 AM

It's good idea:

eval mv1 = mvindex(temp, 0) | eval mv2 = mvindex(temp, 1) | eval mv3 = mvindex(temp, 2) | eval mv4 = mvindex(temp, 3)

, but size of value is variable and I need to create mv1..n dynamically

0 Karma
Reply

damien_chillet
Builder
‎04-11-2018 06:46 AM

Depends on the consistency of the value field but if it's always 4 numbers you could use something like this:

| rex field=value "(?P<value_0>\d+)\s(?P<value_1>\d+)\s(?P<value_2>\d+)\s(?P<value_3>\d+)"
0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...