Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract a multivalue field into separate fi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bibc
Explorer
03-17-2015
11:56 PM
I'm using the following regex to extract name from data:
.. | rex "@name='(?P<Name>[^']+)" max_match=0
This works and extracts the Name field multiple times, but I want to extract the Name in multiple fields like Name01, Name02 ...
The reason for this is that I use the ODBC driver to get the search results and this only gets the first Name value.
Here is an example of the data:
COGIPF_REPORTPATH=/content/folder[@name='Reports']/folder[@name='Test company']/folder[@name='Sales']/folder[@name='User reports']/folder[@name='Test User']/analysis[@name='Sales this month']
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stephane_cyrill
Builder
03-18-2015
03:23 AM
Hi, try this
.....| rex "@name='(?P[^']+)" max_match=0| eval name1=mvindex(Name,0) | eval name2=mvindex(Name,1) | eval name3=mvindex(Name,2) | eval name4=mvindex(Name,3) | eval name5=mvindex(Name,4)| eval name6=mvindex(Name,5) |table name1 name2 name3 name4 name5 name6
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stephane_cyrill
Builder
03-18-2015
03:23 AM
Hi, try this
.....| rex "@name='(?P[^']+)" max_match=0| eval name1=mvindex(Name,0) | eval name2=mvindex(Name,1) | eval name3=mvindex(Name,2) | eval name4=mvindex(Name,3) | eval name5=mvindex(Name,4)| eval name6=mvindex(Name,5) |table name1 name2 name3 name4 name5 name6
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bibc
Explorer
03-18-2015
08:50 AM
Hi
Great, just what I needed.
It even Works through the ODBC connection showing the right data.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stephane_cyrill
Builder
03-20-2015
12:56 AM
you 're welcome
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sk314
Builder
03-18-2015
12:05 AM
have you looked at mvexpand? http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Mvexpand
you could pipe an mvexpand command at the end of your rex extraction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bibc
Explorer
03-18-2015
12:18 AM
Hi
Thanks for your suggestion.
I have just tried to use mvexpand but this results in multiple events/records.
What I need is a single event with the multivalue field seperated in different fields.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
