Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting multivalued field values that are truncated by auto field extraction

ken_t_huang
Explorer
‎06-13-2011 03:31 AM

Excuse me,
I have a data like this:
index=test, product=a, category="1";"3";"6",.....

how do I set the multi fields to search "3" "6"?
thanks!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎06-16-2011 02:58 PM

None of the mv/kv stuff works because the auto field extraction code stops interpreting category's value after the 2nd quote, so it looks like this: 

    category="1"  ;"3";"6"

None of the multivalue suggestions by other users will work because the 'category' field only has a value of "1". You need to pullout the values yourself. You'll need to do something like this. It's a little ugly but totally doable...

 index=test product=a category (3 OR 6) |  rex "category=(?<catvals>\S+)" | rex max_match=1000 field=catvals "(?<mvcatvals>\d+)" | search mvcatvals=3 OR mvcatvals=6

I'll explain. First, search for events that have a 3 or 6. Then use 'rex' pull out the string values like "1";"3";"6", into the 'catvals' field. Then use 'rex' to pull out the numbers 1,3,6 into a multivalued field, 'mvcatvals'. Finally, filter on it mvcatvals for 3 OR 6.

You can play with things and see what's going on, by running this search in the ui.

| stats count | eval fakeraw = "foo category=\"1\";\"3\";\"6\" foo" | rex field=fakeraw "category=(?<catvals>\S+)" | rex max_match=1000 field=catvals "(?<mvcatvals>\d+)"

(the "|stats count" nonsense is just to make a dummy event with no data).

View solution in original post

Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎06-16-2011 02:58 PM

None of the mv/kv stuff works because the auto field extraction code stops interpreting category's value after the 2nd quote, so it looks like this: 

    category="1"  ;"3";"6"

None of the multivalue suggestions by other users will work because the 'category' field only has a value of "1". You need to pullout the values yourself. You'll need to do something like this. It's a little ugly but totally doable...

 index=test product=a category (3 OR 6) |  rex "category=(?<catvals>\S+)" | rex max_match=1000 field=catvals "(?<mvcatvals>\d+)" | search mvcatvals=3 OR mvcatvals=6

I'll explain. First, search for events that have a 3 or 6. Then use 'rex' pull out the string values like "1";"3";"6", into the 'catvals' field. Then use 'rex' to pull out the numbers 1,3,6 into a multivalued field, 'mvcatvals'. Finally, filter on it mvcatvals for 3 OR 6.

You can play with things and see what's going on, by running this search in the ui.

| stats count | eval fakeraw = "foo category=\"1\";\"3\";\"6\" foo" | rex field=fakeraw "category=(?<catvals>\S+)" | rex max_match=1000 field=catvals "(?<mvcatvals>\d+)"

(the "|stats count" nonsense is just to make a dummy event with no data).

Reply
Solved! Jump to solution

torbael
Explorer
‎06-13-2011 11:55 PM

Try this one:

| makemv delim=";" category | mvexpand category | search category="3" OR category="6"

0 Karma
Reply
Solved! Jump to solution

ken_t_huang
Explorer
‎06-13-2011 05:58 PM

I have tried this, but it fail to search multi values, just show category="3" or "6"
I need to search all have 3 or 6.

0 Karma
Reply
Solved! Jump to solution

johandk
Path Finder
‎06-13-2011 04:45 AM

Something like this might work:

| makemv delim=";" category | search category="\"3"\" category="\"6"\"

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...