Solved: Trouble extracting multivalue fields- How do I sep...

mistydennis · ‎09-27-2022

Hi all - I am having trouble pulling out mv fields into separate events. My data looks like this:

I'd like to pull each event out into it's own line, but I'm having trouble with the carriage returns and getting the fields to pair correctly (i.e., error 1232 is with server 1).

Example search:

| makeresults 
| eval error="1232
2345
5783
5689
2345
5678
5901", server="server1
server2
server3
server4
server6
server9
server7" 
| makemv delim="
" error 
| makemv delim="
" server 
| eval uniquekey=mvzip(server,error, ":")

How do I separate these fields into their own events so the data looks like:

1232	server1	server1:1232
2345	server2	server2:2345
5783	server3	server3:5783

kamlesh_vaghela · ‎09-27-2022

@mistydennis

Can you please try this?

YOUR_SEARCH
| eval t = mvzip(mvzip(server,error),uniquekey) 
| mvexpand t 
| rex field=t "(?<server>.*),(?<error>.*),(?<uniquekey>.*)" 
| table server error uniquekey

OR

YOUR_SEARCH
| eval t = mvzip(mvzip(server,error),uniquekey)
| mvexpand t 
| eval server=mvindex(split(t,","),0), error=mvindex(split(t,","),1), uniquekey=mvindex(split(t,","),2)
|table server error uniquekey

My Sample Search :

| makeresults 
| eval error="1232
2345
5783
5689
2345
5678
5901", server="server1
server2
server3
server4
server6
server9
server7" 
| makemv delim="
" error 
| makemv delim="
" server 
| eval uniquekey=mvzip(server,error, ":")
| rename comment as "upto this is sample data" 
| eval t = mvzip(mvzip(server,error),uniquekey)
| mvexpand t 
| eval server=mvindex(split(t,","),0), error=mvindex(split(t,","),1), uniquekey=mvindex(split(t,","),2)
|table server error uniquekey

| makeresults 
| eval error="1232
2345
5783
5689
2345
5678
5901", server="server1
server2
server3
server4
server6
server9
server7" 
| makemv delim="
" error 
| makemv delim="
" server 
| eval uniquekey=mvzip(server,error, ":") 
| rename comment as "upto this is sample data" 
| eval t = mvzip(mvzip(server,error),uniquekey) 
| mvexpand t 
| rex field=t "(?<server>.*),(?<error>.*),(?<uniquekey>.*)" 
| table server error uniquekey

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎09-27-2022

@mistydennis

Can you please try this?

YOUR_SEARCH
| eval t = mvzip(mvzip(server,error),uniquekey) 
| mvexpand t 
| rex field=t "(?<server>.*),(?<error>.*),(?<uniquekey>.*)" 
| table server error uniquekey

OR

YOUR_SEARCH
| eval t = mvzip(mvzip(server,error),uniquekey)
| mvexpand t 
| eval server=mvindex(split(t,","),0), error=mvindex(split(t,","),1), uniquekey=mvindex(split(t,","),2)
|table server error uniquekey

My Sample Search :

| makeresults 
| eval error="1232
2345
5783
5689
2345
5678
5901", server="server1
server2
server3
server4
server6
server9
server7" 
| makemv delim="
" error 
| makemv delim="
" server 
| eval uniquekey=mvzip(server,error, ":")
| rename comment as "upto this is sample data" 
| eval t = mvzip(mvzip(server,error),uniquekey)
| mvexpand t 
| eval server=mvindex(split(t,","),0), error=mvindex(split(t,","),1), uniquekey=mvindex(split(t,","),2)
|table server error uniquekey

| makeresults 
| eval error="1232
2345
5783
5689
2345
5678
5901", server="server1
server2
server3
server4
server6
server9
server7" 
| makemv delim="
" error 
| makemv delim="
" server 
| eval uniquekey=mvzip(server,error, ":") 
| rename comment as "upto this is sample data" 
| eval t = mvzip(mvzip(server,error),uniquekey) 
| mvexpand t 
| rex field=t "(?<server>.*),(?<error>.*),(?<uniquekey>.*)" 
| table server error uniquekey

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Trouble extracting multivalue fields- How do I separate these fields into their own events?

field extraction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life