Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Split array into multiple lines

makragic
New Member
‎08-15-2019 05:03 AM

I have event that looks like this:

field1: field1_value
field2: field2_value      
messages: [
 {
  inner_field1:  msg1_field1    
  inner_field2: mgs1_field2
  inner_field3: msg1_field3 
  inner_field4: msg1_field4 
 },
 {
  inner_field1: msg2_field1 
  inner_field2: msg2_field2
  inner_field3: msg2_field3 
  inner_field4: msg2_field4
 }
]}

I want create a table that has this structure:

| field1 | field2 | inner_field1 | inner_field2 | inner_field3 | inner_field 4 |
| ------------- |------------------| --------------| -------------| -------------| --------------|
| field1_value | field2_value | msf1_field1 | msg1_field2 | msg1_field3 | msg1_field4 |
| field1_value | field2_value | msg2_field1 | msg2_field2 | msg2_field3 | msg2_field4 |

Does anyone know how to do this?

0 Karma
Reply

somesoni2
Revered Legend
‎08-15-2019 07:22 AM

Give this a try. We're assuming that field names in array messages and outside array are different. If there are more number of fields in the arrya, you'd need to adjust the eval temp command and the rex command.

your base search
| table field1 field2 messages{}.*
| rename messages{}.* as *
| eval temp=mvzip('inner_field1',mvzip('inner_field2',mvzip('inner_field3','inner_field4',"##"),"##"),"##")
| table field1 field2 temp
| mvexpand temp
| rex field=temp "(?<inner_field1>.+)##(?<inner_field2>.+)##(?<inner_field3>.+)##(?<inner_field4>.+)" | fields - temp
0 Karma
Reply

makragic
New Member
‎08-15-2019 11:42 AM

Can you explain to me what ## mean?

I actually did something similar today myself, after mvexpand I did makemv temp delim="," and then used eval with mvindex.

0 Karma
Reply

Sukisen1981
Champion
‎08-15-2019 06:37 AM

hi @makragic
does your values of inner field always have 2 sets in one event or can they be more?
inner_field1 occurs 2 times in this array can it occur more than twice?

0 Karma
Reply

makragic
New Member
‎08-15-2019 11:39 AM

Messages can have any amount of entries, however, each message always has 4 fields.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...