Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multivalue field to multiple fields

yurykiselev
Path Finder
‎04-11-2018 06:34 AM

Hi!
How to split multivalue field, e.g. JSON array elements (value😞

{
  "id": 4321,
  "value": [
   5, 6, 7, 8
  ]
}

.

id     | value
4321     5 6 7 8

to multiple fileds with some index remaining one event:

id     | value_0 | value_1 | value_2 | value_3
4321     5         6         7         8

Thank you!

Tags (1)
0 Karma
Reply

niketn
Legend
‎04-13-2018 10:12 AM

@yurykiselev, please try the following run anywhere search which mimics two JSON data one with 4 values and another with three. The commands from | makeresults till | fields - _raw _time generates the dummy data, instead of which you would need to use your current search.

|  makeresults
|  eval _raw=" {
   \"id\": 4321,
   \"value\": [
    5, 6, 7, 8
   ]
 }"
 | append 
    [|  makeresults
|  eval _raw=" {
   \"id\": 1234,
   \"value\": [
    1, 2, 3
   ]
 }"]
 |  spath
 |  fields - _raw _time
 |  rename "value{}" as value
 |  eval values_count=mvcount(value)+1
 |  eval counter=mvrange(1,values_count)
 |  eval value=mvzip(value,counter)
 |  fields - counter values_count
 |  mvexpand value
 |  eval value=split(value,",")
 |  eval counter="value_".mvindex(value,1),value=mvindex(value,0)
 |  chart values(value) by id counter
 |  fillnull value=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

niketn
Legend
‎04-11-2018 07:13 AM

@yurykiselev, would there be 4 values under value list or it can be any number of values?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

yurykiselev
Path Finder
‎04-13-2018 04:04 AM

It can be any

0 Karma
Reply

p_gurav
Champion
‎04-11-2018 07:06 AM

Can you try :

| makeresults | eval abc="5 6 7 8"|eval temp=split(abc," ") | eval mv1 = mvindex(temp, 0) | eval mv2 = mvindex(temp, 1) | eval mv3 = mvindex(temp, 2) | eval mv4 = mvindex(temp, 3)
0 Karma
Reply

yurykiselev
Path Finder
‎04-12-2018 01:16 AM

It's good idea:

eval mv1 = mvindex(temp, 0) | eval mv2 = mvindex(temp, 1) | eval mv3 = mvindex(temp, 2) | eval mv4 = mvindex(temp, 3)

, but size of value is variable and I need to create mv1..n dynamically

0 Karma
Reply

damien_chillet
Builder
‎04-11-2018 06:46 AM

Depends on the consistency of the value field but if it's always 4 numbers you could use something like this:

| rex field=value "(?P<value_0>\d+)\s(?P<value_1>\d+)\s(?P<value_2>\d+)\s(?P<value_3>\d+)"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...