Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you MVZIP more than one field?

brajaram
Communicator
‎03-28-2019 04:48 PM

My data is in JSON format, and contains arrays of JSON data that can be from 1 to N blocks. In this JSON, fields can have the same value across the blocks.

If I have 3 multivalue fields across those blocks, how do I combine them? With mvzip, I can combine two. This lets me parse out the specific value for another value.

FieldA                    FieldB                    FieldC
Quick                     Brown                     Fox
Jumped                    Brown                     Fox
Over                      Brown                     The

So if I wanted to find all values of FieldA that corresponded to Brown Fox, then I want to be able to zip up FIeldA+FieldB+FieldC, then look for the specific combination of Brown and Fox. For 2 fields, I have done this with mvzip. How do I do this with three fields?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎03-28-2019 04:58 PM

Hi

Try this

| makeresults 
| eval FieldA="Quick,Jumped,Over", FieldB="Brown,Brown,Brown", FieldC="Fox,Fox,The" 
| makemv delim="," FieldA 
| makemv delim="," FieldB 
| makemv delim="," FieldC 
| stats list(FieldA) as FieldA,list(FieldB) as FieldB,list(FieldC) as FieldC 
| eval temp=mvzip(FieldA,mvzip(FieldB,FieldC))

View solution in original post

Reply
Solved! Jump to solution

jaxjohnny2000
Builder
‎06-29-2023 07:00 AM

I know this is an old topic, but i recently had the same issue.  So maybe it will help someone else. 

the mvzip takes 2 required and one optional parameter.  You can only combine two fields at a time, followed by any character as a delimiter.  in the example below, I use a pipe character |

But i have discovered, you can nest the mvzip and then extract them out

so for your example using FieldA, FieldB, and FieldC

A simple mvzip would be:
| eval combined_data=mvzip(FieldA,FieldB,"|")

and that's it, but wait there's more, proceed with nesting

| eval combined_data=mvzip(mvzip(FieldA,FieldB,"|"),FieldC,"|")

next expand the mv field

| mvexpand combined_data

Finally, extract the fields in the same order you combined them:

| rex field=combined_data "^(?<FieldA>[^|]*)\|(?<FieldB>[^|]*)\|(?<FieldC>[^|]*)"

 

 

 

 

 

Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎03-28-2019 04:58 PM

Hi

Try this

| makeresults 
| eval FieldA="Quick,Jumped,Over", FieldB="Brown,Brown,Brown", FieldC="Fox,Fox,The" 
| makemv delim="," FieldA 
| makemv delim="," FieldB 
| makemv delim="," FieldC 
| stats list(FieldA) as FieldA,list(FieldB) as FieldB,list(FieldC) as FieldC 
| eval temp=mvzip(FieldA,mvzip(FieldB,FieldC))
Reply
Solved! Jump to solution

brajaram
Communicator
‎03-28-2019 05:52 PM

Thanks for the help. I didn't realize I could use mvzip inside of an mvzip. Once I did that, it worked fine to find the specific cases we needed. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...