Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to append values from a field to all values of a multivalued field?

kabiraj
Path Finder
‎06-29-2015 02:39 AM

Hi All,

I have a multivalued field. I want to take values from one field and append the same to all the values of a multivalued field. The number of values present in multivalued field is NOT constant.

Example: I have a multivalued field as error=0,8000,80001, and so on.
( want to append values from a field such as 'TargetBandwidth' to all values like error=0:targetbandwidth, 8000:targetbandwidth, 8001:targetbandwidth, and so on.

Any ideas on how to do that?

Tried eval error = error+":"+TargetBandwidth but it didn't work.
Tried with eval error = mvappend(error,TargetBandwidth) but it appends values only to the last value of the mv field like error=0, 8000, 8001, and so on:targetbandwidth.

Please help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-29-2015 07:34 AM

Try this:

... | mvexpand error | eval error = error . ":" . TargetBandwidth | mvcombine error

View solution in original post

Reply
Solved! Jump to solution

kabiraj
Path Finder
‎06-29-2015 09:58 PM

Thank You guys for replying. Figured it out myself yesterday. Just a simple mvexpand did the trick. Since woodcock replied first so i m gonna accept his answer. Once again sorry for asking such a dumb question.

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎06-29-2015 08:07 AM

HI kabiraj
This search code works well . Try it

.......|mvexpand error|rex field=error  "(?P<error1>[^\,]+)"|eval error1=error1.":"."TargetBandwidth"|eval error=error1.","|stats  values(error) as error

Look at an example

alt text

tyu.png
Preview file
41 KB
0 Karma
Reply
Solved! Jump to solution

kabiraj
Path Finder
‎06-29-2015 10:00 PM

Thank you chimell. Figured it out yesterday. Only a mvexpand and then mvcombine did the trick. Anyways, sorry for the dumb question.

0 Karma
Reply
Solved! Jump to solution

johnmccash
Explorer
‎10-16-2018 12:57 PM

I'm trying to do something similar, but the whole reason I am is to try and get around the high memory cost of the mvexpand operation. Any other suggestions?

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎10-16-2018 02:55 PM

@johnmccash please create a new post on this, this question is from 2015 and answered already. I've found very few ways to work around this issue but ask the question in a new post...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-29-2015 07:34 AM

Try this:

... | mvexpand error | eval error = error . ":" . TargetBandwidth | mvcombine error
Reply
Solved! Jump to solution

kabiraj
Path Finder
‎06-29-2015 09:59 PM

Thank you woodcock. Figured it out myself but thanks for the answer and sorry for the dumb question.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top