Splunk Search
Highlighted

How do I delimit multivalue fields?

Explorer

Dear All,

We have a scenario, where For each Application_ID, Application_Name is having multi-value and delimited.

we would like the data loaded into individual rows, in the following manner -

Example: Application_Name is multi-value and delimited (A:B:C)

ApplicationID ApplicationName
1 A:B:C
2 D:E:F

Desired Output:

Row 1: 1 A
Row 2: 1 B
Row 3: 1 C
Row 4: 2 D
Row 5: 2 E
Row 6: 2 F

How do I accomplish this?

Thanks in Advance
Anil

0 Karma
Highlighted

Re: How do I delimit multivalue fields?

SplunkTrust
SplunkTrust

Hi

Can you please try this search?/

YOUR SEARCH | makemv delim=: Application_Name | mvexpand Application_Name

Thanks

View solution in original post

Highlighted

Re: How do I delimit multivalue fields?

Explorer

Thanks for the quick reply Kamlesh. Your query worked. 🙂

0 Karma
Highlighted

Re: How do I delimit multivalue fields?

Legend

@anilec21, please accept kamleshvaghela's answer if this helped.




| eval message="Happy Splunking!!!"


Highlighted

Re: How do I delimit multivalue fields?

Motivator

@anil_ec21

try this

| makeresults
| eval ApplicationID="1;2"
| eval Application
Name="A:B:C;D:E:F"
| eval ApplicationID=split(ApplicationID,";")
| eval ApplicationName = split(ApplicationName,";")
| eval test=mvzip(ApplicationID,ApplicationName)
| mvexpand test
| fields test
| rex field=test maxmatch=0 "(?P<v2>\d+),(?P<v2>\S+)"
| eval v2=split(v2,":")
| mvexpand v2
| rename v1 as Application
ID, v2 as ApplicationName
| table Application
ID Application_Name