Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to achieve field with a value containing commas?

Yossarian622
Engager
‎02-15-2023 12:47 PM

Unfortunately I have no control over the log data formatting...

it is in format:  Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|...

I have one field, Criteria, that has many values with embedded commas.

Splunk search only give me the first value... I want all values treated as one in a stats count by

I tried below to rewrite them, and do see the changes, but stats still getting only first value.

index=myidx  Msg=mymsg  |  rex mode=sed field=_raw "s/,/-/g"
| bucket span=1d _time as ts
| eval ts=strftime(ts,"%Y-%m-%d")
| stats count by ts Criteria

 

Labels (3)
Labels
0 Karma
Reply

Yossarian622
Engager
‎02-16-2023 09:13 AM

sorry but I am still only getting the first value before the first comma

do I need to do a re eval

should I be using mvindex in some form?

0 Karma
Reply

Yossarian622
Engager
‎02-16-2023 08:40 AM

sorry but I am still only getting the first value before the comma/hyphen.

do I need to re eval the whole line?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-16-2023 10:33 PM

Let's go back to your data.  The illustrated format, is it raw event or is it from one field?  What is the command that you last tried?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-15-2023 01:15 PM

It is unfortunate that the log isn't quoted as we would have liked.  Fortunately, it is formatted well enough for kv aka extract command.

| kv pairdelim="|" ``` kvdelim defaults to "=" so it can be omitted ```

 

Tags (1)
0 Karma
Reply

Yossarian622
Engager
‎02-15-2023 01:51 PM

I added:  | kv pairdelim="|"

but stats is still only showing me the first value before the comma

or - if i keep the rex mode=sed field=_raw "s/,/-/g"

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-15-2023 01:54 PM

Sorry for misleading you about kvdelim.  You still need it when the string is not quoted.

| makeresults
| fields - _time
| eval _raw = "Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|..."
| kv pairdelim="|" kvdelim="="
CriteriaField1Field2_raw
one,two,three,99.0Value1Value2Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|...

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...