Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multivalue field to multiple fields

yurykiselev
Path Finder
‎04-11-2018 06:34 AM

Hi!
How to split multivalue field, e.g. JSON array elements (value😞

{
  "id": 4321,
  "value": [
   5, 6, 7, 8
  ]
}

.

id     | value
4321     5 6 7 8

to multiple fileds with some index remaining one event:

id     | value_0 | value_1 | value_2 | value_3
4321     5         6         7         8

Thank you!

Tags (1)
0 Karma
Reply

niketn
Legend
‎04-13-2018 10:12 AM

@yurykiselev, please try the following run anywhere search which mimics two JSON data one with 4 values and another with three. The commands from | makeresults till | fields - _raw _time generates the dummy data, instead of which you would need to use your current search.

|  makeresults
|  eval _raw=" {
   \"id\": 4321,
   \"value\": [
    5, 6, 7, 8
   ]
 }"
 | append 
    [|  makeresults
|  eval _raw=" {
   \"id\": 1234,
   \"value\": [
    1, 2, 3
   ]
 }"]
 |  spath
 |  fields - _raw _time
 |  rename "value{}" as value
 |  eval values_count=mvcount(value)+1
 |  eval counter=mvrange(1,values_count)
 |  eval value=mvzip(value,counter)
 |  fields - counter values_count
 |  mvexpand value
 |  eval value=split(value,",")
 |  eval counter="value_".mvindex(value,1),value=mvindex(value,0)
 |  chart values(value) by id counter
 |  fillnull value=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

niketn
Legend
‎04-11-2018 07:13 AM

@yurykiselev, would there be 4 values under value list or it can be any number of values?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

yurykiselev
Path Finder
‎04-13-2018 04:04 AM

It can be any

0 Karma
Reply

p_gurav
Champion
‎04-11-2018 07:06 AM

Can you try :

| makeresults | eval abc="5 6 7 8"|eval temp=split(abc," ") | eval mv1 = mvindex(temp, 0) | eval mv2 = mvindex(temp, 1) | eval mv3 = mvindex(temp, 2) | eval mv4 = mvindex(temp, 3)
0 Karma
Reply

yurykiselev
Path Finder
‎04-12-2018 01:16 AM

It's good idea:

eval mv1 = mvindex(temp, 0) | eval mv2 = mvindex(temp, 1) | eval mv3 = mvindex(temp, 2) | eval mv4 = mvindex(temp, 3)

, but size of value is variable and I need to create mv1..n dynamically

0 Karma
Reply

damien_chillet
Builder
‎04-11-2018 06:46 AM

Depends on the consistency of the value field but if it's always 4 numbers you could use something like this:

| rex field=value "(?P<value_0>\d+)\s(?P<value_1>\d+)\s(?P<value_2>\d+)\s(?P<value_3>\d+)"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...