Getting Data In

Split array into multiple lines

makragic
New Member

I have event that looks like this:

field1: field1_value
field2: field2_value      
messages: [
 {
  inner_field1:  msg1_field1    
  inner_field2: mgs1_field2
  inner_field3: msg1_field3 
  inner_field4: msg1_field4 
 },
 {
  inner_field1: msg2_field1 
  inner_field2: msg2_field2
  inner_field3: msg2_field3 
  inner_field4: msg2_field4
 }
]}

I want create a table that has this structure:

| field1 | field2 | inner_field1 | inner_field2 | inner_field3 | inner_field 4 |
| ------------- |------------------| --------------| -------------| -------------| --------------|
| field1_value | field2_value | msf1_field1 | msg1_field2 | msg1_field3 | msg1_field4 |
| field1_value | field2_value | msg2_field1 | msg2_field2 | msg2_field3 | msg2_field4 |

Does anyone know how to do this?

0 Karma

somesoni2
Revered Legend

Give this a try. We're assuming that field names in array messages and outside array are different. If there are more number of fields in the arrya, you'd need to adjust the eval temp command and the rex command.

your base search
| table field1 field2 messages{}.*
| rename messages{}.* as *
| eval temp=mvzip('inner_field1',mvzip('inner_field2',mvzip('inner_field3','inner_field4',"##"),"##"),"##")
| table field1 field2 temp
| mvexpand temp
| rex field=temp "(?<inner_field1>.+)##(?<inner_field2>.+)##(?<inner_field3>.+)##(?<inner_field4>.+)" | fields - temp
0 Karma

makragic
New Member

Can you explain to me what ## mean?

I actually did something similar today myself, after mvexpand I did makemv temp delim="," and then used eval with mvindex.

0 Karma

Sukisen1981
Champion

hi @makragic
does your values of inner field always have 2 sets in one event or can they be more?
inner_field1 occurs 2 times in this array can it occur more than twice?

0 Karma

makragic
New Member

Messages can have any amount of entries, however, each message always has 4 fields.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...