Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to append values from a field to all values of a multivalued field?

kabiraj
Path Finder
‎06-29-2015 02:39 AM

Hi All,

I have a multivalued field. I want to take values from one field and append the same to all the values of a multivalued field. The number of values present in multivalued field is NOT constant.

Example: I have a multivalued field as error=0,8000,80001, and so on.
( want to append values from a field such as 'TargetBandwidth' to all values like error=0:targetbandwidth, 8000:targetbandwidth, 8001:targetbandwidth, and so on.

Any ideas on how to do that?

Tried eval error = error+":"+TargetBandwidth but it didn't work.
Tried with eval error = mvappend(error,TargetBandwidth) but it appends values only to the last value of the mv field like error=0, 8000, 8001, and so on:targetbandwidth.

Please help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-29-2015 07:34 AM

Try this:

... | mvexpand error | eval error = error . ":" . TargetBandwidth | mvcombine error

View solution in original post

Reply
Solved! Jump to solution

kabiraj
Path Finder
‎06-29-2015 09:58 PM

Thank You guys for replying. Figured it out myself yesterday. Just a simple mvexpand did the trick. Since woodcock replied first so i m gonna accept his answer. Once again sorry for asking such a dumb question.

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎06-29-2015 08:07 AM

HI kabiraj
This search code works well . Try it

.......|mvexpand error|rex field=error  "(?P<error1>[^\,]+)"|eval error1=error1.":"."TargetBandwidth"|eval error=error1.","|stats  values(error) as error

Look at an example

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

kabiraj
Path Finder
‎06-29-2015 10:00 PM

Thank you chimell. Figured it out yesterday. Only a mvexpand and then mvcombine did the trick. Anyways, sorry for the dumb question.

0 Karma
Reply
Solved! Jump to solution

johnmccash
Explorer
‎10-16-2018 12:57 PM

I'm trying to do something similar, but the whole reason I am is to try and get around the high memory cost of the mvexpand operation. Any other suggestions?

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎10-16-2018 02:55 PM

@johnmccash please create a new post on this, this question is from 2015 and answered already. I've found very few ways to work around this issue but ask the question in a new post...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-29-2015 07:34 AM

Try this:

... | mvexpand error | eval error = error . ":" . TargetBandwidth | mvcombine error
Reply
Solved! Jump to solution

kabiraj
Path Finder
‎06-29-2015 09:59 PM

Thank you woodcock. Figured it out myself but thanks for the answer and sorry for the dumb question.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...