Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

1multiple value field should again be further splited by a delimiter (output : 2 multivalue fields) for every single event.

vn_g
Path Finder
‎03-13-2020 02:29 AM

Query :
index=systemdetails source=sytemdetails* Condition = 0
| eval
[ search index=systemdetails source=sytemdetails* Condition != 0
| head 1
| eval EL = "1584081083.114 ABC-12345 , 1584081089.114 DEF-678910"
| makemv delim="," EL
| fields EL
| return EL ]
| eval Final_EL = split(EL,",")
| eval ET = mvindex(split(Final_EL," "),0)
| eval EMN = mvindex(split(Final_EL," "),1)

Am successfully able to generate “Final_EL” multivalue field for each event.
Final_EL = 1584081083.114 ABC-12345 Final_EL = 1584081089.114 DEF-678910

Requirement :
Each event should have the multiple value fields(ET and EMN)
ET= 1584081083.114 ET = 1584081089.114
EMN = ABC-12345 EMN = DEF-678910

Tried using both the below ways , but both doesnt work
| rex max_match=0 field=Final_EL "(?((.*?),){0,})"
| eval ET = mvindex(split(Final_EL," "),0)

Kindly help.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-14-2020 01:26 PM

It is VERY unclear what you need but perhaps this example will provide you with a template:

index="systemdetails" AND source="sytemdetails*" AND Condition="0"
| append [ |makeresults
| eval EL = "1584081083.114 ABC-12345,1584081089.114 DEF-678910"
| makemv delim="," EL 
| eval DROPME="true" ]
| eventstats list(EL) AS EL
| where isnull(DROPME)
| eval Final_EL = mvindex(EL, -1)
| rex field=Final_EL "^(?<ET>\S+)\s+(?<EMN>\s+)"
0 Karma
Reply

manjunathmeti
Champion
‎03-14-2020 03:15 AM

Try this:

index=systemdetails source=sytemdetails* Condition = 0 
| eval 
    [ search index=systemdetails source=sytemdetails* Condition != 0 
    | head 1 
    | eval EL = "1584081083.114 ABC-12345 , 1584081089.114 DEF-678910" 
    | fields EL 
    | return EL ] 
| eval Final_EL = split(replace(EL, "\s*,\s*", ","), ",") 
| mvexpand Final_EL 
| eval ET_EMN = split(Final_EL, " "), ET = mvindex(ET_EMN, 0), EMN = mvindex(ET_EMN, 1)
0 Karma
Reply

to4kawa
Ultra Champion
‎03-14-2020 12:10 AM 
your search
| eval ET=split("1584081083.114,1584081089.114",",")
| eval EMN=split("ABC-12345,DEF-678910",",")
0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...