Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I split an event into a varible number of events?

hvdtol
Path Finder
‎06-24-2021 12:26 PM

Hello,

I have a directory structure which i want split up in separate events.

For example

\MAIN\SUB1\SUB2\SUB3\file.xlsx

This should be created as
\MAIN
\MAIN\SUB1
\MAIN\SUB1\SUB2\
\MAIN\SUB1\SUB2\SUB3\

Of course the number of subdirectories can vary, from 1 to many.
I know i cannot use a for loop command, so i am searching for a way to handle my challenge.

How should hanlde this, and is this possible?

Any help is apprecated.

Regards,

Harry

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-25-2021 01:30 AM 
| makeresults count=2
| streamstats count as row
| eval t="MAIN\\SUB1\\SUB2\\SUB3".mvindex(split(",\\SUB4",","),row%2)
| table t row
| eval path=split(t,"\\")
| eval sub=mvrange(1,mvcount(path)+1)
| mvexpand sub
| eval partial=mvjoin(mvindex(path,0,sub-1),"\\")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

hvdtol
Path Finder
‎06-24-2021 10:00 PM

Hi,

Thank you, but not exactly what i mean.

| makeresults
| eval t="MAIN\\SUB1\\SUB2\\SUB3"
| table t
| eval path=split(t,"\\")
|mvexpand path
| table path

The number of rows i want to write can vary, depending om the number of subdirectories.
How can i write the events as

event1 MAIN
event2 MAIN\SUB1\
event3 MAIN\SUB1\SUB2\
event4 MAIN\SUB1\SUB2\SUB3
event x when longer... 

Regards,

Harry

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-25-2021 01:30 AM 
| makeresults count=2
| streamstats count as row
| eval t="MAIN\\SUB1\\SUB2\\SUB3".mvindex(split(",\\SUB4",","),row%2)
| table t row
| eval path=split(t,"\\")
| eval sub=mvrange(1,mvcount(path)+1)
| mvexpand sub
| eval partial=mvjoin(mvindex(path,0,sub-1),"\\")
0 Karma
Reply
Solved! Jump to solution

hvdtol
Path Finder
‎06-25-2021 03:08 AM

Hi,

This is impressive.
I know you can do a lot with SPL, but i am always suprised when a ( for me not possible ) challenge can be accomplished.

Thank you very much.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-24-2021 12:50 PM 
| eval path=split(path,"\\")
| mvexpand path
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...