Splunk Search

How to extract a multivalue field into separate fields?

bibc
Explorer

I'm using the following regex to extract name from data:

.. | rex "@name='(?P<Name>[^']+)" max_match=0

This works and extracts the Name field multiple times, but I want to extract the Name in multiple fields like Name01, Name02 ...
The reason for this is that I use the ODBC driver to get the search results and this only gets the first Name value.

Here is an example of the data:

COGIPF_REPORTPATH=/content/folder[@name='Reports']/folder[@name='Test company']/folder[@name='Sales']/folder[@name='User reports']/folder[@name='Test User']/analysis[@name='Sales this month']
1 Solution

stephane_cyrill
Builder

Hi, try this
.....| rex "@name='(?P[^']+)" max_match=0| eval name1=mvindex(Name,0) | eval name2=mvindex(Name,1) | eval name3=mvindex(Name,2) | eval name4=mvindex(Name,3) | eval name5=mvindex(Name,4)| eval name6=mvindex(Name,5) |table name1 name2 name3 name4 name5 name6

View solution in original post

stephane_cyrill
Builder

Hi, try this
.....| rex "@name='(?P[^']+)" max_match=0| eval name1=mvindex(Name,0) | eval name2=mvindex(Name,1) | eval name3=mvindex(Name,2) | eval name4=mvindex(Name,3) | eval name5=mvindex(Name,4)| eval name6=mvindex(Name,5) |table name1 name2 name3 name4 name5 name6

bibc
Explorer

Hi
Great, just what I needed.
It even Works through the ODBC connection showing the right data.
Thanks.

stephane_cyrill
Builder

you 're welcome

0 Karma

sk314
Builder

have you looked at mvexpand? http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Mvexpand

you could pipe an mvexpand command at the end of your rex extraction.

0 Karma

bibc
Explorer

Hi
Thanks for your suggestion.
I have just tried to use mvexpand but this results in multiple events/records.
What I need is a single event with the multivalue field seperated in different fields.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...