Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract fields from multi value fields

chiwang
Explorer
‎02-28-2013 01:50 PM

I am trying to create a new fields from a multi value fields. Here's an example:

group_id, user_id  user_address         user_phone_number
a         123      cityA, NY, USA       123-234-345
          234      cityBC, NJ, USA      234-345-345
b         567      cityDEF, NY, USA     234-345-456

stats list(user_id), list(user_address), list(user_phone_number) by group_id

user_id, user_address and user_phone_number are multi value fields.
I want to be able to extract state information from user_address to generate a table like this

group_id, user_id  state         user_phone_number
a         123      NY            123-234-345
          234      NJ            234-345-345
b         567      NY            234-345-456

How can I achieve this?

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-28-2013 02:17 PM

The same way as extracting it from a single value field:

| stats count | fields - count | eval foo = "New York City, NY, USA;Los Angeles, CA, USA" | makemv foo delim=";" | rex field=foo ", (?<state>[A-Z][A-Z]),"
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-04-2013 07:55 AM

The issue is not the expression, that worked fine. Apparently your Splunk version treats multi-valued fields differently.

0 Karma
Reply

chiwang
Explorer
‎03-04-2013 07:53 AM

Updated with (?[^,]+,[A-Z]+), no states are returned.

foo                                 state
New York City, NY, USA              
Los Angees, CA, USA
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎03-01-2013 02:18 PM

Maybe try a different regex?
(?[^,]+,[A-Z]+)

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 01:34 PM

I see. Over here in 5 it works like a charm.

0 Karma
Reply

chiwang
Explorer
‎03-01-2013 01:25 PM 

foo                                 state
New York City, NY, USA              NY
Los Angees, CA, USA

CA is not listed
I am using splunk 4.3.1.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 09:04 AM

What result are you getting when you enter my example query into splunk?

0 Karma
Reply

chiwang
Explorer
‎03-01-2013 08:44 AM

With this query, if I run

stats list(user_id), list(state), list(user_phone_number) by group_id

I will get this: 

group_id, user_id  state         user_phone_number

a         123      NY            123-234-345

          234                    234-345-345

b         567      NY            234-345-456

Only the first state in a group is displayed

Any idea how to get a full list of states?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...