Solved: Extracting multiple field values from a comma sepe... - Splunk Community

Splunk Search

Hello All,

What is the best way to extract into a single field mutiple values from a comma-seperated list:

Example: xxxx Books:1,2,3,65,2,5 xxxxxx

From this I have created a field called Books which contains the string 1,2,3,65,2,5 however what I would like to do is create a field called Books which takes each value as a single entry.

So from the above example I would have 6 entries in the field Book for this particular log entry.

1 Solution

Solution

If you have extracted the field Books with a single value of 1,2,3,65,2,5 and want it to report as a multi-valued attribute, try this at search time:

Books = * | makemv delim="," Books

View solution in original post

Solution

If you have extracted the field Books with a single value of 1,2,3,65,2,5 and want it to report as a multi-valued attribute, try this at search time:

Books = * | makemv delim="," Books

Just in case, the other option is to use transforms.conf and fields.conf

http://wiki.splunk.com/Community:Comma-Separated_Multi-Value_Field_Extraction_In_Single-line_Event

This can be easily done through regex on your props.conf & transforms.conf:

props.conf

[sourcetype_for_the_csv]
REPORT-multifield = multifield

transforms.conf

[multifield]
REGEX = Books:(\d+,\d+,\d+,\d+,\d+,\d+)
FORMAT = book::$1

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...