Re: How do I divide multiple values in a field int...

BrandSentiment · ‎11-16-2015

I have created a delim operator as follows:

| makemv delim=","  TONE

which returns the following values in the TONE field:

0.86767895878525
3.25379609544469
2.38611713665944
5.63991323210412
24.7288503253796
0.867678958785249

I would like to to separate each of these values into new fields at the time of search:

Tone
Positive Score
Negative Score
Polarity
Activity Reference Density
Reference Density

Is this possible?

sundareshr · ‎11-16-2015

Assuming the makemv command is returing data in the right format into a field named tone, to extract each value use the following command

..| eval gkg_Tone1=mvindex(tone, 0) | eval gkg_Pos_Score=mvindex(tone, 1) ad so on for rest of the fields. This assumes the order in which the 6 data point are arranged is always the same.

dart · ‎11-16-2015

The mvindex function will let you select individual elements in a multivalued field : http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Commonevalfunctions

BrandSentiment · ‎11-16-2015

Thanks Dart,

How do I structure the command:

I want to take each of these values in a field named gkg_TONE (there are always 6 values comma separated):

0, 3.25379609544469, 2.38611713665944, 0, 24.7288503253796, 0.867678958785249

With these values I would like to create these fields:

gkg_TONE1="0"
gkg_Pos_Score="3.25379609544469"
gkg_Neg_Score="2.38611713665944"
gkg_Polarity="0"
gkg_Ativity_Ref="24.7288503253796"
gkg_Ref_Dens="0.867678958785249"

I have tried this:

| eval n=mvindex (gkg_TONE, gkg_TONE1, gkg_Pos_Score, gkg_Neg_Score, gkg_Polarity, gkg_Ativity_Ref, gkg_Ref_Dens)

but get:

"Error in 'eval' command: The arguments to the 'mvindex' function are invalid."

Please can you help.

Thanks,

Jonathan

How do I divide multiple values in a field into new separate fields at search-time?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life