Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I split an event into a varible number of events?

hvdtol
Path Finder
‎06-24-2021 12:26 PM

Hello,

I have a directory structure which i want split up in separate events.

For example

\MAIN\SUB1\SUB2\SUB3\file.xlsx

This should be created as
\MAIN
\MAIN\SUB1
\MAIN\SUB1\SUB2\
\MAIN\SUB1\SUB2\SUB3\

Of course the number of subdirectories can vary, from 1 to many.
I know i cannot use a for loop command, so i am searching for a way to handle my challenge.

How should hanlde this, and is this possible?

Any help is apprecated.

Regards,

Harry

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-25-2021 01:30 AM 
| makeresults count=2
| streamstats count as row
| eval t="MAIN\\SUB1\\SUB2\\SUB3".mvindex(split(",\\SUB4",","),row%2)
| table t row
| eval path=split(t,"\\")
| eval sub=mvrange(1,mvcount(path)+1)
| mvexpand sub
| eval partial=mvjoin(mvindex(path,0,sub-1),"\\")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

hvdtol
Path Finder
‎06-24-2021 10:00 PM

Hi,

Thank you, but not exactly what i mean.

| makeresults
| eval t="MAIN\\SUB1\\SUB2\\SUB3"
| table t
| eval path=split(t,"\\")
|mvexpand path
| table path

The number of rows i want to write can vary, depending om the number of subdirectories.
How can i write the events as

event1 MAIN
event2 MAIN\SUB1\
event3 MAIN\SUB1\SUB2\
event4 MAIN\SUB1\SUB2\SUB3
event x when longer... 

Regards,

Harry

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-25-2021 01:30 AM 
| makeresults count=2
| streamstats count as row
| eval t="MAIN\\SUB1\\SUB2\\SUB3".mvindex(split(",\\SUB4",","),row%2)
| table t row
| eval path=split(t,"\\")
| eval sub=mvrange(1,mvcount(path)+1)
| mvexpand sub
| eval partial=mvjoin(mvindex(path,0,sub-1),"\\")
0 Karma
Reply
Solved! Jump to solution

hvdtol
Path Finder
‎06-25-2021 03:08 AM

Hi,

This is impressive.
I know you can do a lot with SPL, but i am always suprised when a ( for me not possible ) challenge can be accomplished.

Thank you very much.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-24-2021 12:50 PM 
| eval path=split(path,"\\")
| mvexpand path
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...