Splunk Search

How to extract fields in from this scenario? Fields within a field.

adrianathome
Communicator

I have a field on my events that has the following:

john,12345,mark,2356,maria,4567
rachel,8883,john2,488475
nothing to report
NULL
peter,9993

I am trying to create two fields from this. Field1 is called employee, and field2 would be employeeid. I want my end product to look like this:

employee=john
employeeid=12345
employee=mark
employeeid=2356
...
employee=peter
employeeid=9993

The problem is that sometimes the events have 1 employe, other times more then one, and the field can also be empty.

I have been trying to achieve this with makemv or extract|kv with no successful results.

How would you guys/gals go about getting this done?

0 Karma

sowings
Splunk Employee
Splunk Employee

I would use a named transform with a regular expression, and use MV_ADD = true. You'll have to tie the transform to the sourcetype with a REPORT-... stanza in props.conf.

http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Propsconf

http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Transformsconf

sowings
Splunk Employee
Splunk Employee

In that case, I might look at "mvexpand". The props / transforms that I described above creates a multi-valued field. mvexpand takes each of those values and splits it into its own event.

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Mvexpand

0 Karma

adrianathome
Communicator

Awesome! That seem to have worked for the field=value part. Now, what do I need to do so that each field=value has its own event?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...