Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract all unique values from a multivalue field in one event?

edrivera3
Builder
‎04-15-2015 10:57 AM

Hi

I want to extract field values that are distinct in one event. I managed to extract all the field values in the event, but I don't want those that repeat themselves.

...| rex field=_raw "El color de la casa es (?< color_casa > [a-z]{1,10})" max_match=0
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-15-2015 11:27 AM

Looking at the functions for eval, I would guess that

    ... | rex field=_raw "El color de la casa es (?< color_casa > [a-z]{1,10})" max_match=0 | eval color_casa=mvdedup(color_casa)

should do the trick. If not that then: 

    ... | rex field=_raw "El color de la casa es (?< color_casa > [a-z]{1,10})" max_match=0 | eval color_casa=mvdedup(mvsort(color_casa))

View solution in original post

Reply
Solved! Jump to solution

ngatchasandra
Builder
‎04-15-2015 11:40 AM

Hi edrivera3,

Try with mvindex function, this will retrieve all values field like follow:

 ...| rex field=_raw "El color de la casa es (?< color_casa > [a-z]{1,10})" max_match=0 |eval color1=mvindex( color_casa,0) |eval color2=mvindex( color_casa,1) |eval color3=mvindex( color_casa,2) |... |table color1 color2 color3 ...
0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-16-2015 07:05 AM

I have more than thirty values in each event and the amount of values is different for each event. Thanks anyway for your answer.

0 Karma
Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-15-2015 11:27 AM

Looking at the functions for eval, I would guess that

    ... | rex field=_raw "El color de la casa es (?< color_casa > [a-z]{1,10})" max_match=0 | eval color_casa=mvdedup(color_casa)

should do the trick. If not that then: 

    ... | rex field=_raw "El color de la casa es (?< color_casa > [a-z]{1,10})" max_match=0 | eval color_casa=mvdedup(mvsort(color_casa))
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-15-2015 03:57 PM

Do you know how I could do the same but with the configuration file? (No inline)

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎04-16-2015 12:14 PM

Assuming you're using field extraction to create the multivalued field, you may be able to use a calculated field to tweak it's value, but it's something you'd need to play with to know for certain.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...