Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to append values from a field to all values of a multivalued field?

kabiraj
Path Finder
‎06-29-2015 02:39 AM

Hi All,

I have a multivalued field. I want to take values from one field and append the same to all the values of a multivalued field. The number of values present in multivalued field is NOT constant.

Example: I have a multivalued field as error=0,8000,80001, and so on.
( want to append values from a field such as 'TargetBandwidth' to all values like error=0:targetbandwidth, 8000:targetbandwidth, 8001:targetbandwidth, and so on.

Any ideas on how to do that?

Tried eval error = error+":"+TargetBandwidth but it didn't work.
Tried with eval error = mvappend(error,TargetBandwidth) but it appends values only to the last value of the mv field like error=0, 8000, 8001, and so on:targetbandwidth.

Please help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-29-2015 07:34 AM

Try this:

... | mvexpand error | eval error = error . ":" . TargetBandwidth | mvcombine error

View solution in original post

Reply
Solved! Jump to solution

kabiraj
Path Finder
‎06-29-2015 09:58 PM

Thank You guys for replying. Figured it out myself yesterday. Just a simple mvexpand did the trick. Since woodcock replied first so i m gonna accept his answer. Once again sorry for asking such a dumb question.

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎06-29-2015 08:07 AM

HI kabiraj
This search code works well . Try it

.......|mvexpand error|rex field=error  "(?P<error1>[^\,]+)"|eval error1=error1.":"."TargetBandwidth"|eval error=error1.","|stats  values(error) as error

Look at an example

alt text

tyu.png
Preview file
41 KB
0 Karma
Reply
Solved! Jump to solution

kabiraj
Path Finder
‎06-29-2015 10:00 PM

Thank you chimell. Figured it out yesterday. Only a mvexpand and then mvcombine did the trick. Anyways, sorry for the dumb question.

0 Karma
Reply
Solved! Jump to solution

johnmccash
Explorer
‎10-16-2018 12:57 PM

I'm trying to do something similar, but the whole reason I am is to try and get around the high memory cost of the mvexpand operation. Any other suggestions?

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎10-16-2018 02:55 PM

@johnmccash please create a new post on this, this question is from 2015 and answered already. I've found very few ways to work around this issue but ask the question in a new post...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-29-2015 07:34 AM

Try this:

... | mvexpand error | eval error = error . ":" . TargetBandwidth | mvcombine error
Reply
Solved! Jump to solution

kabiraj
Path Finder
‎06-29-2015 09:59 PM

Thank you woodcock. Figured it out myself but thanks for the answer and sorry for the dumb question.

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

What’s New in Splunk Enterprise 9.4: Tools for Digital ResilienceTune in to What’s New in Splunk Enterprise ...

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...
Top