Solved: Expand multivalue field into individual fields WIT...

duesser · ‎12-13-2023

I have a multivalue field, which I would like to expand to individual fields, like so:

| makeresults count=1
| eval a=mvappend("1","7")

| eval a_0=mvindex(a,0,0)
| eval a_1=mvindex(a,1,1)

However, the length might be >2 and I would like to have a generic solution to do this. I know I can create a MV field with an index and use mvexpand and then stats to get all back into a single event, but I run into memory issues with this in my own data.

In short: not use mvexpand and solve the issue in a generic fashion.

dtburrows3 · ‎12-13-2023

Think I found a hacky way of doing this.

Seems to recursive and should loop through all mvfield values, assigning each one its own unique field name.

You can replicate this with this SPL.

| makeresults
    | eval
        mv_field=split("a|b|c|d|e|f|aa", "|")
        
    ``` Below SPL is what loops through MV field and gives each entry its own unique fieldname ```
    | eval
        iter=0,
        hacked_json=json_object()
    | foreach mode=multivalue mv_field
        [
            | eval
                iter='iter'+1,
                hacked_json=json_set(hacked_json, "mv_field_".'iter', '<<ITEM>>')
                    
            ]
    | spath input=hacked_json
    | fields - hacked_json, iter

View solution in original post

dtburrows3 · ‎12-13-2023

Think I found a hacky way of doing this.

Seems to recursive and should loop through all mvfield values, assigning each one its own unique field name.

You can replicate this with this SPL.

| makeresults
    | eval
        mv_field=split("a|b|c|d|e|f|aa", "|")
        
    ``` Below SPL is what loops through MV field and gives each entry its own unique fieldname ```
    | eval
        iter=0,
        hacked_json=json_object()
    | foreach mode=multivalue mv_field
        [
            | eval
                iter='iter'+1,
                hacked_json=json_set(hacked_json, "mv_field_".'iter', '<<ITEM>>')
                    
            ]
    | spath input=hacked_json
    | fields - hacked_json, iter

bowesmana · ‎12-13-2023

It's unfortunate that field_{<<ITEM>>}=<<ITEM>> does not work inside an MV foreach statement - the {} assignment does work if mode is not multivalue

duesser · ‎12-14-2023

Yes for real! That was my first idea. I think for static field length one could use something along this line of thought (does not work as is but should be doable):

| makeresults 
| eval
    mv_field=split("a|b|c|d|e|f|aa", "|") 
| fields ```other fields of interest``` mv_field [| makeresults count=7
| streamstats count
| eval temp="mv_field_",
    fieldname=temp.count 
| stats values(fieldname) AS fieldname 
| return $fieldname] 
| foreach mode=multifield mv_field_* 
[ eval "<<FIELD>>"=mvindex(mv_field,tonumber(<<MATCHSTR>>),tonumber(<<MATCHSTR>>))]

but seing this solution it is more elegant and general

ITWhisperer · ‎12-13-2023

I came up with this in the middle of last year - perhaps you can adapt it to your purposes?

Solved: Re: Mutlivalue Field Problem - Splunk Community

Expand multivalue field into individual fields WITHOUT mvexpand

fields

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases