Getting Data In

Split array into multiple lines

New Member

I have event that looks like this:

field1: field1_value
field2: field2_value      
messages: [
  inner_field1:  msg1_field1    
  inner_field2: mgs1_field2
  inner_field3: msg1_field3 
  inner_field4: msg1_field4 
  inner_field1: msg2_field1 
  inner_field2: msg2_field2
  inner_field3: msg2_field3 
  inner_field4: msg2_field4

I want create a table that has this structure:

| field1 | field2 | inner_field1 | inner_field2 | inner_field3 | inner_field 4 |
| ------------- |------------------| --------------| -------------| -------------| --------------|
| field1_value | field2_value | msf1_field1 | msg1_field2 | msg1_field3 | msg1_field4 |
| field1_value | field2_value | msg2_field1 | msg2_field2 | msg2_field3 | msg2_field4 |

Does anyone know how to do this?

0 Karma

Revered Legend

Give this a try. We're assuming that field names in array messages and outside array are different. If there are more number of fields in the arrya, you'd need to adjust the eval temp command and the rex command.

your base search
| table field1 field2 messages{}.*
| rename messages{}.* as *
| eval temp=mvzip('inner_field1',mvzip('inner_field2',mvzip('inner_field3','inner_field4',"##"),"##"),"##")
| table field1 field2 temp
| mvexpand temp
| rex field=temp "(?<inner_field1>.+)##(?<inner_field2>.+)##(?<inner_field3>.+)##(?<inner_field4>.+)" | fields - temp
0 Karma

New Member

Can you explain to me what ## mean?

I actually did something similar today myself, after mvexpand I did makemv temp delim="," and then used eval with mvindex.

0 Karma


hi @makragic
does your values of inner field always have 2 sets in one event or can they be more?
inner_field1 occurs 2 times in this array can it occur more than twice?

0 Karma

New Member

Messages can have any amount of entries, however, each message always has 4 fields.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...