Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Split and create new row

dashield
Explorer
‎04-04-2021 06:23 AM

I do have a CSV file that consist of below column

  • EventName
  • Start Time
  • Username
  • severity
  • alertid

The data on the alertid became a list when user assigned multiple alert. 

Challenge:

How to separate the list from alertid, create a new entry each and copy the same value of the remaining column.

Below are the sample entry of CSV file.

Event Name,Start Time,Username,severity,alertid
"alert assigned","1617229938497","sampleuser","5","82574,82573,82572,82569,82568,82567"

------------------

Desired result.


Event Name,Start Time,Username,severity,alertid
"alert assigned","1617229938497","sampleuser","5","82574"
"alert assigned","1617229938497","sampleuser","5","82573"
"alert assigned","1617229938497","sampleuser","5","82572"
"alert assigned","1617229938497","sampleuser","5","82569"
"alert assigned","1617229938497","sampleuser","5","82568"
"alert assigned","1617229938497","sampleuser","5","82567"

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tscroggins
Influencer
‎04-04-2021 07:05 AM

@dashield 

It's a two-step process: 1) convert alertid to a multi-valued field and 2) expand alertid into multiple events, copying single-valued field values into each new event:

| inputlookup foo.csv
| eval alertid=split(alertid, ",")
| mvexpand alertid

To reverse the operation:

| stats values(alertid) as alertid by "Event Name" "Start Time" Username severity
| eval alertid=mvjoin(alertid, ",")

View solution in original post

Reply
Solved! Jump to solution
Solution

tscroggins
Influencer
‎04-04-2021 07:05 AM

@dashield 

It's a two-step process: 1) convert alertid to a multi-valued field and 2) expand alertid into multiple events, copying single-valued field values into each new event:

| inputlookup foo.csv
| eval alertid=split(alertid, ",")
| mvexpand alertid

To reverse the operation:

| stats values(alertid) as alertid by "Event Name" "Start Time" Username severity
| eval alertid=mvjoin(alertid, ",")

Reply
Solved! Jump to solution

dashield
Explorer
‎04-04-2021 07:21 AM

It worked exactly looking for. Thank you.

Tags (1)
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...