mvexpand & split command not working on JSON data

ashish9433 · ‎12-23-2018

Hi,

I have JSON data, which seems to be properly prased. I have a field which holds multiple IPs in a new lined when seen in formatted events and seperated with \n when seen in un-formatted.

Check the below screenshot

alt text

I am unable to use mvexpand or split or even i tried to use makemv command but it doesn't work as expected.

Any clue, how to handle this situation, when i do a stats or table i want IPs as multivalued whereas currently it is displayed as just a text with IPs separated with space.

vsingla1 · ‎03-17-2020

@ashish9433 I am also facing the same issue where splunk is unable to run split and mvexpand on the json data. Did you find a resolution to your question? If so, could you share it?

to4kawa · ‎04-04-2020

@visngla1
What is your log?
If not, ask another question.

adonio · ‎12-23-2018

maybe something like this:

... | rex "\"ips\"\:\"(?<all_ips>[^\"]+)"
this will capture all ips as a long string and assign it as a value to the field: "all_ips">
now go to the makemv and mvexpand
... | makemv all_ips delim = "\n" | mvexpand all_ips

hope it helps

mvexpand & split command not working on JSON data

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

Are you a member of the Splunk Community?

mvexpand & split command not working on JSON data

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition