Splunk Search

Expand multivalue field into individual fields WITHOUT mvexpand

duesser
Path Finder

 

I have a multivalue field, which I would like to expand to individual fields, like so:

| makeresults count=1
| eval a=mvappend("1","7")

| eval a_0=mvindex(a,0,0)
| eval a_1=mvindex(a,1,1)

However, the length might be >2 and I would like to have a generic solution to do this. I know I can create a MV field with an index and use mvexpand and then stats to get all back into a single event, but I run into memory issues with this in my own data. 

 

In short: not use mvexpand and solve the issue in a generic fashion.

 

 

 

Labels (2)
0 Karma
1 Solution

dtburrows3
Builder

Think I found a hacky way of doing this.

dtburrows3_0-1702485351189.png

Seems to recursive and should loop through all mvfield values, assigning each one its own unique field name.

You can replicate this with this SPL.

| makeresults
    | eval
        mv_field=split("a|b|c|d|e|f|aa", "|")
        
    ``` Below SPL is what loops through MV field and gives each entry its own unique fieldname ```
    | eval
        iter=0,
        hacked_json=json_object()
    | foreach mode=multivalue mv_field
        [
            | eval
                iter='iter'+1,
                hacked_json=json_set(hacked_json, "mv_field_".'iter', '<<ITEM>>')
                    
            ]
    | spath input=hacked_json
    | fields - hacked_json, iter

View solution in original post

dtburrows3
Builder

Think I found a hacky way of doing this.

dtburrows3_0-1702485351189.png

Seems to recursive and should loop through all mvfield values, assigning each one its own unique field name.

You can replicate this with this SPL.

| makeresults
    | eval
        mv_field=split("a|b|c|d|e|f|aa", "|")
        
    ``` Below SPL is what loops through MV field and gives each entry its own unique fieldname ```
    | eval
        iter=0,
        hacked_json=json_object()
    | foreach mode=multivalue mv_field
        [
            | eval
                iter='iter'+1,
                hacked_json=json_set(hacked_json, "mv_field_".'iter', '<<ITEM>>')
                    
            ]
    | spath input=hacked_json
    | fields - hacked_json, iter

bowesmana
SplunkTrust
SplunkTrust

It's unfortunate that field_{<<ITEM>>}=<<ITEM>> does not work inside an MV foreach statement - the {} assignment does work if mode is not multivalue

0 Karma

duesser
Path Finder

Yes for real! That was my first idea. I think for static field length one could use something along this line of thought (does not work as is but should be doable):

 

| makeresults 
| eval
    mv_field=split("a|b|c|d|e|f|aa", "|") 
| fields ```other fields of interest``` mv_field [| makeresults count=7
| streamstats count
| eval temp="mv_field_",
    fieldname=temp.count 
| stats values(fieldname) AS fieldname 
| return $fieldname] 
| foreach mode=multifield mv_field_* 
[ eval "<<FIELD>>"=mvindex(mv_field,tonumber(<<MATCHSTR>>),tonumber(<<MATCHSTR>>))]

 

but seing this solution it is more elegant and general

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I came up with this in the middle of last year - perhaps you can adapt it to your purposes?

Solved: Re: Mutlivalue Field Problem - Splunk Community

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...