Splunk Search

How can I split similar fields into multiple related events?

pwild_splunk
Splunk Employee
Splunk Employee

I have some events like this. Wifi AP and DEVICE connected to it. A one to many AP to DEVICE relationship exists

AP,DEVICE
---------------
A1,D1
A3,D2
A3,D3
A3,D4
A4,D5
A5,D6
A5,D7

I need to reformat this data to be like this:

tuple,D
-----------
1,A1
1,D1
2,A3
2,D2
3,A3
3,D3
4,A3
4,D4
5,A4
5,D5
6,A5
6,D6
7,A5
7,D7

Is there a cleaner way of doing this than below?

search cmd
| streamstats count as tuple
| eval point="1,2"
| makemv delim="," point
| mvexpand point
| eval D=if(point=1,AD,DEVICE)
|  table  tuple D

This is so I can use the Map+ vis to draw lines between these connected devices.

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

@pwild - you have it exactly right.

You can replace this...

| eval point="1,2"
| makemv delim="," point

...with this...

| eval point=mvrange(1,3)

...but that's about the only change that makes it any more elegant. Everything else you can do is just rearranging furniture.


Oh, wait...

 search cmd
 | streamstats count as tuple
 | eval D=mvappend(AD,DEVICE)
 | mvexpand D
 | table tuple D

Yeah, that's clearly more elegant.

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

@pwild - you have it exactly right.

You can replace this...

| eval point="1,2"
| makemv delim="," point

...with this...

| eval point=mvrange(1,3)

...but that's about the only change that makes it any more elegant. Everything else you can do is just rearranging furniture.


Oh, wait...

 search cmd
 | streamstats count as tuple
 | eval D=mvappend(AD,DEVICE)
 | mvexpand D
 | table tuple D

Yeah, that's clearly more elegant.

pwild_splunk
Splunk Employee
Splunk Employee

Thanks for such a quick response!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...