Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting each value from a multi-valued field

smhsplunk
Communicator
‎04-22-2016 08:11 AM

I have a column with some information as follows

traffic_location
ABC 23 EFG RKY
ABC 12 HIJ 23
ABD 23 HIJ 12

ABD 12 KYP 23
ABC 12 RMP 11

This is a single column, the values inside this single column is separated by single spaces.
I would like to access each of the 4 parts to put it in a dropdown menu, hence I need to access
them individually, The values also have many duplicates, so I also want to remove the duplicate.
So far I have this, but its returning me the entire row 

source=traffic_information | search * traffic_location | fields traffic_location | dedup traffic_location | eval firstValue=split(traffic_location," ") | search firstValue=1

The other I tried is this

source=traffic_information | search * traffic_location | fields traffic_location | dedup traffic_location | rex "^(?<traffic_location>\w+)" | table traffic_location

But I am getting the entire column and not sure how to get the split parts, can we get eval from rex ?

Please help.

Thanks in Advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-22-2016 08:17 AM

If you know the order of your fields is always the same you could do this:

 source=traffic_information 
| search * traffic_location 
| fields traffic_location 
| dedup traffic_location 
| eval traffic_location=split(traffic_location," ") 
| eval field1 = mvindex(traffic_location, 0)
| eval field2 = mvindex(traffic_location, 1)
| eval field3 = mvindex(traffic_location, 2)
| eval field4 = mvindex(traffic_location, 3)

View solution in original post

Reply
Solved! Jump to solution

sundareshr
Legend
‎04-22-2016 08:21 AM

You have couple of options

REX command

source=traffic_information traffic_location=* | rex field=traffic_location "(?<f1>[^\s]+)\s(?<f2>[^\s]+)\s(?<f3>[^\s]+)\s(?<f4>[^\s]+))"

Split command

source=traffic_information traffic_location=* | eval temp=split(traffic_location ," ") | eval f1=mvindex(temp,0)| eval f2=mvindex(temp,1)| eval f3=mvindex(temp,2) | eval f4=mvindex(temp,4)  | fields - temp
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-22-2016 08:17 AM

If you know the order of your fields is always the same you could do this:

 source=traffic_information 
| search * traffic_location 
| fields traffic_location 
| dedup traffic_location 
| eval traffic_location=split(traffic_location," ") 
| eval field1 = mvindex(traffic_location, 0)
| eval field2 = mvindex(traffic_location, 1)
| eval field3 = mvindex(traffic_location, 2)
| eval field4 = mvindex(traffic_location, 3)
Reply
Solved! Jump to solution

smhsplunk
Communicator
‎04-22-2016 08:27 AM

Thanks! This is what I was looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...