Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Convert single row with list of ids to a table and join it with another table

elad
Engager
‎11-17-2021 03:04 AM

I have this query:

 

my search

| rex field=line ".*customerId\":(?<customer_id>[0-9]+)"

| dedup customer_id

| table customer_id

 

That returns multiple rows and generate a table:

 

customer_id
-----------
1
2
3
4
5

 

I also have another query  that returns a single row with an array  of ids:

 

Synced accounts: [ 1, 3, 5 ]

 

My questions are :

1) How can I convert the row from query 2 into a table with the ids 

2) how can I do left join between the results ( that I will see on the table only the ids from query 2)?

 

customer_id
----------
1
3
5

 

Thanks in advance 

Elad

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-17-2021 05:24 AM

You would have to do two rex

| rex "Synced accounts: \[(?<customer_ids>[^\]]+)\]"
| rex field=customer_ids max_match=0 "(?<customer_id>\d+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

elad
Engager
‎11-17-2021 03:53 AM

@PickleRick please see the example I provided:  

Synced accounts: [ 1, 3, 5 ]
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-17-2021 03:56 AM

But is it a single string value, a multivalued field, something else?

0 Karma
Reply
Solved! Jump to solution

elad
Engager
‎11-17-2021 05:23 AM

Please see @ITWhisperer answer - it does a group regex for the row and then convert it to multiple events with mvexpand

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-17-2021 03:43 AM 
my search
| rex field=line ".*customerId\":(?<customer_id>[0-9]+)"
| dedup customer_id
| table customer_id 
| join type=left customer_id [ your other search
  | rex max_match=0 "(?<customer_id>\d+)"
  | mvexpand customer_id
  | table customer_id]
0 Karma
Reply
Solved! Jump to solution

elad
Engager
‎11-17-2021 05:20 AM

@ITWhisperer thanks this was exactly what I was looking for.  But I have another issue now - the full row actually is something like : 

 

 

Synced accounts: [1,3,5], Deleted accounts: [2,4]

 

 

 

How can I make the regex ignore the groups on the deleted accounts list?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-17-2021 05:24 AM

You would have to do two rex

| rex "Synced accounts: \[(?<customer_ids>[^\]]+)\]"
| rex field=customer_ids max_match=0 "(?<customer_id>\d+)"
0 Karma
Reply
Solved! Jump to solution

elad
Engager
‎11-17-2021 07:33 AM

Amazing thanks!

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-17-2021 03:38 AM

What do you mean by "array"?

And are you sure you want a left join? It looks  more like inner join.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...