Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Split array into multiple lines

makragic
New Member
‎08-15-2019 05:03 AM

I have event that looks like this:

field1: field1_value
field2: field2_value      
messages: [
 {
  inner_field1:  msg1_field1    
  inner_field2: mgs1_field2
  inner_field3: msg1_field3 
  inner_field4: msg1_field4 
 },
 {
  inner_field1: msg2_field1 
  inner_field2: msg2_field2
  inner_field3: msg2_field3 
  inner_field4: msg2_field4
 }
]}

I want create a table that has this structure:

| field1 | field2 | inner_field1 | inner_field2 | inner_field3 | inner_field 4 |
| ------------- |------------------| --------------| -------------| -------------| --------------|
| field1_value | field2_value | msf1_field1 | msg1_field2 | msg1_field3 | msg1_field4 |
| field1_value | field2_value | msg2_field1 | msg2_field2 | msg2_field3 | msg2_field4 |

Does anyone know how to do this?

0 Karma
Reply

somesoni2
Revered Legend
‎08-15-2019 07:22 AM

Give this a try. We're assuming that field names in array messages and outside array are different. If there are more number of fields in the arrya, you'd need to adjust the eval temp command and the rex command.

your base search
| table field1 field2 messages{}.*
| rename messages{}.* as *
| eval temp=mvzip('inner_field1',mvzip('inner_field2',mvzip('inner_field3','inner_field4',"##"),"##"),"##")
| table field1 field2 temp
| mvexpand temp
| rex field=temp "(?<inner_field1>.+)##(?<inner_field2>.+)##(?<inner_field3>.+)##(?<inner_field4>.+)" | fields - temp
0 Karma
Reply

makragic
New Member
‎08-15-2019 11:42 AM

Can you explain to me what ## mean?

I actually did something similar today myself, after mvexpand I did makemv temp delim="," and then used eval with mvindex.

0 Karma
Reply

Sukisen1981
Champion
‎08-15-2019 06:37 AM

hi @makragic
does your values of inner field always have 2 sets in one event or can they be more?
inner_field1 occurs 2 times in this array can it occur more than twice?

0 Karma
Reply

makragic
New Member
‎08-15-2019 11:39 AM

Messages can have any amount of entries, however, each message always has 4 fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...