Splunk Search

How to achieve field with a value containing commas?

Yossarian622
Loves-to-Learn

Unfortunately I have no control over the log data formatting...

it is in format:  Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|...

I have one field, Criteria, that has many values with embedded commas.

Splunk search only give me the first value... I want all values treated as one in a stats count by

I tried below to rewrite them, and do see the changes, but stats still getting only first value.

index=myidx  Msg=mymsg  |  rex mode=sed field=_raw "s/,/-/g"
| bucket span=1d _time as ts
| eval ts=strftime(ts,"%Y-%m-%d")
| stats count by ts Criteria

 

Labels (3)
0 Karma

Yossarian622
Loves-to-Learn

sorry but I am still only getting the first value before the first comma

do I need to do a re eval

should I be using mvindex in some form?

0 Karma

Yossarian622
Loves-to-Learn

sorry but I am still only getting the first value before the comma/hyphen.

do I need to re eval the whole line?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Let's go back to your data.  The illustrated format, is it raw event or is it from one field?  What is the command that you last tried?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

It is unfortunate that the log isn't quoted as we would have liked.  Fortunately, it is formatted well enough for kv aka extract command.

| kv pairdelim="|" ``` kvdelim defaults to "=" so it can be omitted ```

 

Tags (1)
0 Karma

Yossarian622
Loves-to-Learn

I added:  | kv pairdelim="|"

but stats is still only showing me the first value before the comma

or - if i keep the rex mode=sed field=_raw "s/,/-/g"

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Sorry for misleading you about kvdelim.  You still need it when the string is not quoted.

| makeresults
| fields - _time
| eval _raw = "Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|..."
| kv pairdelim="|" kvdelim="="
CriteriaField1Field2_raw
one,two,three,99.0Value1Value2Field1=Value1|Field2=Value2| ... |Criteria=one,two,three,99.0|...

 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...

Splunk Observability Cloud | Enhancing Your Onboarding Experience with the ...

We understand that your initial experience with getting data into Splunk Observability Cloud is crucial as it ...