Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multivalue field to multiple fields

yurykiselev
Path Finder
‎04-11-2018 06:34 AM

Hi!
How to split multivalue field, e.g. JSON array elements (value😞

{
  "id": 4321,
  "value": [
   5, 6, 7, 8
  ]
}

.

id     | value
4321     5 6 7 8

to multiple fileds with some index remaining one event:

id     | value_0 | value_1 | value_2 | value_3
4321     5         6         7         8

Thank you!

Tags (1)
0 Karma
Reply

niketn
Legend
‎04-13-2018 10:12 AM

@yurykiselev, please try the following run anywhere search which mimics two JSON data one with 4 values and another with three. The commands from | makeresults till | fields - _raw _time generates the dummy data, instead of which you would need to use your current search.

|  makeresults
|  eval _raw=" {
   \"id\": 4321,
   \"value\": [
    5, 6, 7, 8
   ]
 }"
 | append 
    [|  makeresults
|  eval _raw=" {
   \"id\": 1234,
   \"value\": [
    1, 2, 3
   ]
 }"]
 |  spath
 |  fields - _raw _time
 |  rename "value{}" as value
 |  eval values_count=mvcount(value)+1
 |  eval counter=mvrange(1,values_count)
 |  eval value=mvzip(value,counter)
 |  fields - counter values_count
 |  mvexpand value
 |  eval value=split(value,",")
 |  eval counter="value_".mvindex(value,1),value=mvindex(value,0)
 |  chart values(value) by id counter
 |  fillnull value=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

niketn
Legend
‎04-11-2018 07:13 AM

@yurykiselev, would there be 4 values under value list or it can be any number of values?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

yurykiselev
Path Finder
‎04-13-2018 04:04 AM

It can be any

0 Karma
Reply

p_gurav
Champion
‎04-11-2018 07:06 AM

Can you try :

| makeresults | eval abc="5 6 7 8"|eval temp=split(abc," ") | eval mv1 = mvindex(temp, 0) | eval mv2 = mvindex(temp, 1) | eval mv3 = mvindex(temp, 2) | eval mv4 = mvindex(temp, 3)
0 Karma
Reply

yurykiselev
Path Finder
‎04-12-2018 01:16 AM

It's good idea:

eval mv1 = mvindex(temp, 0) | eval mv2 = mvindex(temp, 1) | eval mv3 = mvindex(temp, 2) | eval mv4 = mvindex(temp, 3)

, but size of value is variable and I need to create mv1..n dynamically

0 Karma
Reply

damien_chillet
Builder
‎04-11-2018 06:46 AM

Depends on the consistency of the value field but if it's always 4 numbers you could use something like this:

| rex field=value "(?P<value_0>\d+)\s(?P<value_1>\d+)\s(?P<value_2>\d+)\s(?P<value_3>\d+)"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...