Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get same values from mutlivalue field?

dhirendra761
Contributor
‎09-29-2022 02:45 AM

Hi, 

 We have below problem data in lookup: 

pan assestId item_deviceId phoneNumber imeID
11023 ass#ABC1#man6558962f asst#ABC1#man827631e ite#0#man76451627ahdgs ite#0#man76451627ahd75 ite#0#man76451627ahdgs 8763173699 123456789
11023 ass#ABC1#man6558962f asst#ABC1#man827631e ite#0#man76451627ahdgs ite#0#man76451627ahd75  ite#0#man76451627ahd75 8736628187 987654321

 

Now we require new field "Mobile_DeviceId" from "assestId"  for identical row.

As per below splunk table:

pan assestId item_deviceId phoneNumber imeID Mobile_DeviceId
11023 ass#ABC1#man6558962f asst#ABC1#man827631e ite#0#man76451627ahdgs ite#0#man76451627ahd75 ite#0#man76451627ahdgs 8763173699 123456789 ass#ABC1#man6558962f
11023 ass#ABC1#man6558962f asst#ABC1#man827631e ite#0#man76451627ahdgs ite#0#man76451627ahd75  ite#0#man76451627ahd75 8736628187 987654321 asst#ABC1#man827631e

 

Is it possible from SPL?? Please help me to create SPL.

My query is:

 

 

| inputlookp abc.csv
| table pan assestId item_deviceId phoneNumber imeID
| eval Mobile_DeviceId=split(assestId," ")|mvexpand Mobile_DeviceId| search Mobile_DeviceId=ass#*

 

 

 

Labels (2)
Labels
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2022 04:15 AM

How do you identify which assestId is required as the Mobile_DevideId - assuming that there are an even number of assestIds and the device id in the first part of the list corresponds to the item in the second part of the list e.g. 1st matches with 3rd and 2nd matches with 4th (as in your example), then you could try something like this

| inputlookp abc.csv
| table pan assestId item_deviceId phoneNumber imeID
| eval Mobile_DeviceId=split(assestId," ")
| eval Mobile_DeviceId=mvindex(Mobile_DeviceId,mvfind(Mobile_DeviceId, item_deviceId)%(mvcount(Mobile_DeviceId)/2))

View solution in original post

Reply
Solved! Jump to solution

dhirendra761
Contributor
‎09-29-2022 04:45 AM

Thank you so much @ITWhisperer

You are awesome.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2022 04:15 AM

How do you identify which assestId is required as the Mobile_DevideId - assuming that there are an even number of assestIds and the device id in the first part of the list corresponds to the item in the second part of the list e.g. 1st matches with 3rd and 2nd matches with 4th (as in your example), then you could try something like this

| inputlookp abc.csv
| table pan assestId item_deviceId phoneNumber imeID
| eval Mobile_DeviceId=split(assestId," ")
| eval Mobile_DeviceId=mvindex(Mobile_DeviceId,mvfind(Mobile_DeviceId, item_deviceId)%(mvcount(Mobile_DeviceId)/2))
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎09-30-2022 04:08 AM

Hi @ITWhisperer ,

What change required  in query if we want to swap the value of Mobile_DeviceId?? without applying SORT command

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2022 05:03 AM

What do you mean by swap? What result are you trying to achieve?

0 Karma
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎09-30-2022 06:14 AM

Swap means switch the value in last column.

 

0 Karma
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎09-30-2022 06:18 AM

As per below splunk table:

panassestIditem_deviceIdphoneNumberimeIDMobile_DeviceId
11023ass#ABC1#man6558962f asst#ABC1#man827631e ite#0#man76451627ahdgs ite#0#man76451627ahd75ite#0#man76451627ahdgs8763173699123456789asst#ABC1#man827631e
11023ass#ABC1#man6558962f asst#ABC1#man827631e ite#0#man76451627ahdgs ite#0#man76451627ahd75 ite#0#man76451627ahd758736628187987654321

ass#ABC1#man6558962f

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2022 07:21 AM 
| inputlookp abc.csv
| table pan assestId item_deviceId phoneNumber imeID
| eval Mobile_DeviceId=split(assestId," ")
| eval Mobile_DeviceId=mvindex(Mobile_DeviceId,(mvcount(Mobile_DeviceId)/2)-(mvfind(Mobile_DeviceId, item_deviceId)%(mvcount(Mobile_DeviceId)/2)))
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎10-04-2022 03:01 AM

Thank You @ITWhisperer  for your prompt support. 

🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...