Splunk Search

How to convert a field value containing a list of fields into the values of those fields

dmillis
Splunk Employee
Splunk Employee

Consider a field value which contains a list of comma-separated field names, such as 'fieldList' in this example:

| makeresults
| eval host="server42"
| eval location="dallas"
| eval temp="50"
| eval color="blue"
| eval fieldList="temp,host,color"

I want to create a new field containing the concatenated values of the fields in 'fieldList', like this:

| eval concatenatedValue = temp . host . color

... which, in this example, would result in 'concatenatedValue' containing a value of "50server42blue". 

The next event might have fieldList="location,temp,host", which would need to evaluated in a similar fashion.

Any suggestions?

Labels (2)
0 Karma
1 Solution

dmillis
Splunk Employee
Splunk Employee

Based on the solution posted by @ITWhisperer , here is the final approach I am using:

| makeresults
| eval host="server42"
| eval location="dallas"
| eval temp="50"
| eval color="blue"
| eval fieldList="host,,  temp color"
| rex mode=sed field=fieldList "s/\s+/,/g"
| eval mvfieldList=split(fieldList, ",")
| foreach * [ eval value=if(in("<<FIELD>>",mvfieldList), mvappend(value,<<FIELD>>), value) ]
| eval concatenated=mvjoin(value," - ")

This loads the values into 'concatenated' in alphabetical fieldname order (from 'fieldList'), rather than in the order listed in 'fieldList', but this is OK for my use case (since it will be consistent).

Thanks to @ITWhisperer and @renjith_nair for responding!

View solution in original post

0 Karma

dmillis
Splunk Employee
Splunk Employee

Based on the solution posted by @ITWhisperer , here is the final approach I am using:

| makeresults
| eval host="server42"
| eval location="dallas"
| eval temp="50"
| eval color="blue"
| eval fieldList="host,,  temp color"
| rex mode=sed field=fieldList "s/\s+/,/g"
| eval mvfieldList=split(fieldList, ",")
| foreach * [ eval value=if(in("<<FIELD>>",mvfieldList), mvappend(value,<<FIELD>>), value) ]
| eval concatenated=mvjoin(value," - ")

This loads the values into 'concatenated' in alphabetical fieldname order (from 'fieldList'), rather than in the order listed in 'fieldList', but this is OK for my use case (since it will be consistent).

Thanks to @ITWhisperer and @renjith_nair for responding!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval host="server42"
| eval location="dallas"
| eval temp="50"
| eval color="blue"
| eval fieldList="temp,host,color|location,temp,host"
| eval fieldList=split(fieldList,"|")
| mvexpand fieldList
| fields - _time
| foreach * [ eval name=mvappend(name,"<<FIELD>>") | eval value=mvappend(value,<<FIELD>>) ]
| eval fieldList=split(fieldList,",")
| eval concatenated=mvjoin(mvmap(fieldList,mvindex(value,mvfind(name,fieldList))),"")
| fields - name value

dmillis
Splunk Employee
Splunk Employee

Nicely done, @ITWhisperer !  This absolutely works.

0 Karma

renjith_nair
Legend

Try

| makeresults
| eval host="server42"
| eval location="dallas"
| eval temp="50"
| eval color="blue"
| eval fieldList="temp,host,color"
| eval concatenatedValue =mvjoin(split(fieldList,","),".")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

dmillis
Splunk Employee
Splunk Employee

Alas, still only produces field names-- not the field values

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

ITWhisperer_0-1605639093491.png

 

0 Karma
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...