Splunk Search

How to create an array of values from a field?

naveenurs
Explorer

Hello,

I am trying to parse a field like the one below into an array of Key/Value pairs and access each array value separately

uatoken:
Macintosh; Intel Mac OS X 10_7_5
Windows NT 6.2; WOW64; rv:22.0
compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; ARM; Touch; WPDesktop
compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0
compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0
Android; Mobile; rv:22.0
Macintosh; Intel Mac OS X 10_7_5
compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0
compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0
Linux; U; Android 4.0.3; en-us; HTC_X515C Build/IML74K
compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0
compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0
Windows NT 6.1; chromeframe/28.0.1500.72
Macintosh; Intel Mac OS X 10_8_4
compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0

The end result that I am looking for is
uatoken[0] OR uatoken0=compatible
uatoken[1] OR uatoken1=MSIE 10.0
uatoken[2] OR uatoken2=Windows NT 6.1
uatoken[3] OR uatoken3=Trident/6.0

How can I achieve this in Splunk?

Thanks in advance!!!

Tags (3)
0 Karma

naveenurs
Explorer

I was able to accomplish what I was looking for.

eventtype=video|eval uatokentmp=split(uatoken,";")|eval uatoken0=mvindex(uatokentmp,0)|eval uatoken1=mvindex(uatokentmp,1)|eval uatoken2=mvindex(uatokentmp,2)|eval uatoken3=mvindex(uatokentmp,3)|eval uatoken4=mvindex(uatokentmp,4)| eval uatoken5=mvindex(uatokentmp,5)|table uatoken0 uatoken1 uatoken2 uatoken3 uatoken4 uatoken5

Is there a better / more efficient way than this to accomplish this?

l0pher
Explorer

Thanks! mvindex is the function I was looking for.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...