Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trouble extracting multivalue fields- How do I separate these fields into their own events?

mistydennis
Communicator
‎09-27-2022 05:34 AM

Hi all - I am having trouble pulling out mv fields into separate events. My data looks like this:

Screenshot 2022-09-27 062425.jpg

I'd like to pull each event out into it's own line, but I'm having trouble with the carriage returns and getting the fields to pair correctly (i.e., error 1232 is with server 1). 

Example search:

 

 

 

| makeresults 
| eval error="1232
2345
5783
5689
2345
5678
5901", server="server1
server2
server3
server4
server6
server9
server7" 
| makemv delim="
" error 
| makemv delim="
" server 
| eval uniquekey=mvzip(server,error, ":")

 

 

 

 
How do I separate these fields into their own events so the data looks like:

1232 server1 server1:1232
2345 server2 server2:2345
5783 server3 server3:5783
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-27-2022 05:46 AM

@mistydennis 

Can you please try this?

YOUR_SEARCH
| eval t = mvzip(mvzip(server,error),uniquekey) 
| mvexpand t 
| rex field=t "(?<server>.*),(?<error>.*),(?<uniquekey>.*)" 
| table server error uniquekey

 

OR

YOUR_SEARCH
| eval t = mvzip(mvzip(server,error),uniquekey)
| mvexpand t 
| eval server=mvindex(split(t,","),0), error=mvindex(split(t,","),1), uniquekey=mvindex(split(t,","),2)
|table server error uniquekey

 

My Sample Search :

 

| makeresults 
| eval error="1232
2345
5783
5689
2345
5678
5901", server="server1
server2
server3
server4
server6
server9
server7" 
| makemv delim="
" error 
| makemv delim="
" server 
| eval uniquekey=mvzip(server,error, ":")
| rename comment as "upto this is sample data" 
| eval t = mvzip(mvzip(server,error),uniquekey)
| mvexpand t 
| eval server=mvindex(split(t,","),0), error=mvindex(split(t,","),1), uniquekey=mvindex(split(t,","),2)
|table server error uniquekey

 

| makeresults 
| eval error="1232
2345
5783
5689
2345
5678
5901", server="server1
server2
server3
server4
server6
server9
server7" 
| makemv delim="
" error 
| makemv delim="
" server 
| eval uniquekey=mvzip(server,error, ":") 
| rename comment as "upto this is sample data" 
| eval t = mvzip(mvzip(server,error),uniquekey) 
| mvexpand t 
| rex field=t "(?<server>.*),(?<error>.*),(?<uniquekey>.*)" 
| table server error uniquekey

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-27-2022 05:46 AM

@mistydennis 

Can you please try this?

YOUR_SEARCH
| eval t = mvzip(mvzip(server,error),uniquekey) 
| mvexpand t 
| rex field=t "(?<server>.*),(?<error>.*),(?<uniquekey>.*)" 
| table server error uniquekey

 

OR

YOUR_SEARCH
| eval t = mvzip(mvzip(server,error),uniquekey)
| mvexpand t 
| eval server=mvindex(split(t,","),0), error=mvindex(split(t,","),1), uniquekey=mvindex(split(t,","),2)
|table server error uniquekey

 

My Sample Search :

 

| makeresults 
| eval error="1232
2345
5783
5689
2345
5678
5901", server="server1
server2
server3
server4
server6
server9
server7" 
| makemv delim="
" error 
| makemv delim="
" server 
| eval uniquekey=mvzip(server,error, ":")
| rename comment as "upto this is sample data" 
| eval t = mvzip(mvzip(server,error),uniquekey)
| mvexpand t 
| eval server=mvindex(split(t,","),0), error=mvindex(split(t,","),1), uniquekey=mvindex(split(t,","),2)
|table server error uniquekey

 

| makeresults 
| eval error="1232
2345
5783
5689
2345
5678
5901", server="server1
server2
server3
server4
server6
server9
server7" 
| makemv delim="
" error 
| makemv delim="
" server 
| eval uniquekey=mvzip(server,error, ":") 
| rename comment as "upto this is sample data" 
| eval t = mvzip(mvzip(server,error),uniquekey) 
| mvexpand t 
| rex field=t "(?<server>.*),(?<error>.*),(?<uniquekey>.*)" 
| table server error uniquekey

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top