Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can i create new fields with data from two different multi value fields?

mauricio_sandov
Explorer
‎09-19-2023 10:14 AM

I need to break out log data from two separate multi-value fields into single value fields. Here is what data looks like:

Screenshot 2023-09-19 at 12.00.11 PM.png

 Each line of data from "participants{}.object_value" corresponds to the line in "participants{}.role" and I would like named victims and offender fields.  I dont understand how to use the mv commands to expand the data from two different fields and then combine them into new fields.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2023 10:28 AM

Once multi-value fields are expanded, any relationship among them is lost.  They need to be combined into a new field before expansion.

...
| eval new_field = mvzip("participants{}.object_value", "participants{}.role")
| mvexpand new_field
| eval new_field = split(new_field, ",")
| eval object_value = mvindex(new_field, 0), role = mvindex(new_field, 1)

The mvzip function combines two multi-value fields, separating them with a comma.  The split function later on breaks the field on the comma.  If you have more than two fields to combine, use nested mvzip functions.

| eval new_field = mvzip(field1, mvzip(field2, mvzip(field3, field4)))

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2023 10:28 AM

Once multi-value fields are expanded, any relationship among them is lost.  They need to be combined into a new field before expansion.

...
| eval new_field = mvzip("participants{}.object_value", "participants{}.role")
| mvexpand new_field
| eval new_field = split(new_field, ",")
| eval object_value = mvindex(new_field, 0), role = mvindex(new_field, 1)

The mvzip function combines two multi-value fields, separating them with a comma.  The split function later on breaks the field on the comma.  If you have more than two fields to combine, use nested mvzip functions.

| eval new_field = mvzip(field1, mvzip(field2, mvzip(field3, field4)))

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

mauricio_sandov
Explorer
‎09-25-2023 09:59 AM

Thank you this worked and did what I needed

Reply
Solved! Jump to solution

mauricio_sandov
Explorer
‎09-25-2023 09:00 AM

I will give this a shot to see what I get. thx

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...