- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Change multivalue field to strings
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have table like tis
name | Category
"one; one two; bla trhree aaa bbb; ddddd eeeee aaaaaa; wwww" | Category1
"one; bla wwww; eeee; bbb zzzzz" | Category2
"one" | Category3
Now I have multivalue Field in dashboard, where I want to put query like ( for Category1)
search name ="one" or "one two" or "bla trhree aaa bbb" or "ddddd eeeee aaaaa" or "wwww"
based on Category.
I tried to replace ";" by "OR" :
eval Ids = replace(Ids , ";", " OR ")
But, it gives me:
one OR one two OR bla trhree aaa bbb OR ddddd eeeee aaaaaa OR wwww
And I want to have :
"one" OR "one two" OR "bla trhree aaa bbb" OR "ddddd eeeee aaaaaa" OR "wwww"
What should I use to treat it like string, not separated values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your explanation is VERY confusing but I am pretty sure that you can do what you need with one of these examples:
To create a test mv field:
| makeresults | eval mv="a b c d e f g" | table mv | makemv mv
Now look what adding this does:
| format
Now look what adding this does:
| format "" "" "" "" "" ""
Now look what adding this does:
| rex field=mv mode=sed "s/$/ OR/"
| nomv mv
| rex field=mv mode=sed "s/^/(/ s/OR$/)/"
That should give you the building blocks to do what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your explanation is VERY confusing but I am pretty sure that you can do what you need with one of these examples:
To create a test mv field:
| makeresults | eval mv="a b c d e f g" | table mv | makemv mv
Now look what adding this does:
| format
Now look what adding this does:
| format "" "" "" "" "" ""
Now look what adding this does:
| rex field=mv mode=sed "s/$/ OR/"
| nomv mv
| rex field=mv mode=sed "s/^/(/ s/OR$/)/"
That should give you the building blocks to do what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, it helped, but I have next problem.
Basically I have search wich gives me two field Name and Category (there is always 1 value in each of them).
Then I want to append lookup file which containes dozens vales like this from my previous question.
(So Name is f.e "aa bbb c d e f g" as Name and Category (with 1 value).
And the problems is that how format each multiplevalue field to (mv="aa" OR mv="bbb" OR mv="c" OR mv="d" ... )
I guess that regex wil be the solution, but I am still wondering hot to manage that.
Finally I want to have Name like before to use it as token in different searches, and Category to put it in dropdown as a fieldForLabel.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a new question, give EXAMPLE EVENTS, and a MOCKUP of DESIRED SOLUTION.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ROFL. That's how to teach someone to fish. Here- throw this hook with a cricket over there and see what happens. Now try it under that log with this worm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right, I didn't explained it well (I was in a hurry) BUT You managed to help me anyway!
Thank You!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
