Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract multiple values from a single field into multiple unique fields

alex387
New Member
‎09-02-2019 05:14 PM

Hello,

Is there a way to split out the unique values of a field into separate fields that are returned after a search?

For example, my search returns the following syslog messages
Login Success from 1.1.1.1
Login Failed from 2.2.2.2
Login Failed from 1.1.1.1

Splunk has extracted the following field "field 1" which contains the "Success" and "Failed" string values

Is there a way (preferably eval command) to extract these values into there own unique fields, i.e field2=Failed, field3=Success

This is so I can use a table command like the following
| table ip, field1, field2, field3

Thank you

Tags (1)
0 Karma
Reply

thesplunkmonkey
Path Finder
‎09-13-2019 01:42 PM

Hey @alex387, just following up to see if you got the answer you need.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-03-2019 12:30 PM

I agree with @adonio about this request not making a lot of sense. However, here's one way to do it.

... | eval field2 = if(field1=="Success", field1, NULL), field3 = if(field1=="Failed", field1, NULL)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

thesplunkmonkey
Path Finder
‎09-03-2019 09:24 AM

There's other ways to do this, but here's one possibility for you --

Based on your sample data, it seems you would know the possible values ahead of time. If that's the case, you could use an eval to assign the value to a field you want.

... | eval field2=if(field1 == "Failed", field1, "") | eval field3=if(field1 == "Success", field1, "") | table ip field2 field3

This would give you the following, given the data you provided.

ip            field2       field3
1.1.1.1                    Success
2.2.2.2       Failed
1.1.1.1       Failed
0 Karma
Reply

adonio
Ultra Champion
‎09-02-2019 08:47 PM

why would you want that?
the entire idea is to be able to put different values in fields so you can perform functions and statistics on them
a single value to a field is almost meaningless ...
you can always do your query with table, but i think you probably have a question regarding your data ...
think about this / those question/s articulate them, and write the query that will answer it.
also, i recommend to read at docs.splunk.com regarding fields, extractions, and data on-boarding

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...