Splunk Search

Expand two multi value field with different format using mvexpand

ahmadshakir1952
Explorer

Trying to expand two multi value field using mvexpand for below scenario:

Jhon purchased Mango and Banana both.
Colins purchased Papaya and Brad purchased Apple.

alt text

My current output not showing Apple is purchased by Brad.
alt text

Part of code for expanding used as below:

| table Name,Fruit | eval sample = mvzip(Name,Fruit) | mvexpand sample | makemv sample delim="," | eval Name=mvindex(sample,0)| eval Fruit=mvindex(sample,1) 

Please help to get the desired output as per last picture.

0 Karma

to4kawa
Ultra Champion

UPDATED:

| makeresults 
| eval Name=split("Jhon,Colins,Brad",",") 
| eval Fruit=split("Mango,Banana,Papaya,Apple",",") 
| eval field_x=split("eat,like,love,taste",",") 
| eval field_y=split("one,two",",") 
| fields - _time 
| rename COMMENT as "this is sample data you provided" 
| rename COMMENT as "From here, the logic" 
| eval _counter=mvrange(0,mvcount(Fruit)) 
| eval Name = mvappend(mvindex(Name,0),Name) 
| stats list(*) as * by _counter
| foreach * 
    [ eval <<FIELD>> = case(mvcount(<<FIELD>>) = 2, mvindex(<<FIELD>>,_counter % 2),true(),mvindex(<<FIELD>>,_counter))] 
| fields Name field_x field_y Fruit

Hi, @ahmadshakir1952
I don't use mvexpand.
but How about this?

ahmadshakir1952
Explorer

Here i have given example of two filed. Can you please for 2 more fields which is also multi-valued. i.e: field name: field_x and field_y then what would be the for each condition.

0 Karma

to4kawa
Ultra Champion

Hi @ahmadshakir1952
My answer updated. please confirm.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ahmadshakir1952

Your posted images not providing proper information regarding field type and so on. So can you please provide some sample events OR images from Splunk search?

Meanwhile check below thing also..

The value of Fruit field against name Jhon is multivalued? Like output of below search?

| makeresults 
| eval name="Jhon|Colins|Brad",friuts="Mango#Banana|Papaya|Apple", name=split(name,"|"),friuts=split(friuts,"|") , tmp=mvzip(name,friuts) 
| mvexpand tmp 
| eval name=mvindex(split(tmp,","),0),friuts=mvindex(split(tmp,","),1),friuts=split(friuts,"#")
| rename COMMENT as "This is sample of your search" 
| table name friuts

Then try to append | mvexpand friuts .

0 Karma

ahmadshakir1952
Explorer

Name and Fruit both are from different sourectype , but they both sharing a common ID field. In here example, Jhon is multi-valued and In name column its not certain which value is going to be multivalue in Fruit column/field.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ahmadshakir1952
Can you please share sample events from both sourcetype? So I can help you design search.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...