Solved: How to extract numbers from multivalue fields

cindygibbs_08 · ‎07-13-2021

Hello Guys I have a sort of quick question that has been challanging me.

I use this SPL to extract some info

| stats values(*) as * by CLIENTE_OUTPOST

Sometimes I use list sometimes I use values... and I want to be able to extract all values in the multivalue field "PROMOS" in a new field called "ADDED" this is an example:

from this:

CLIENT_OUTPOST	PROMOS	DATE	VOUCHER
LIZZA_90	UIK_IO 87585 A_IDYD 78545 10584	18-05-2021	XX-PO-89

I want this:

CLIENT_OUTPOST	PROMOS	DATE	VOUCHER	ADDED
LIZZA_90	UIK_IO 87585 A_IDYD 78545 10584	18-05-2021	XX-PO-89	87585 78545 10584

I will be so thankfull if you can help me out, just for reference I will eaither have strings with characters or strings that are numbers... but i have tried mvfilter, rex without any luck thank you so much guys!

Love,

Cindy

venkatasri · ‎07-13-2021

Hi @cindygibbs_08 can you try this?

<your_search>
| eval promos_delim=mvjoin(PROMOS,",")
| rex field=promos_delim max_match=0 "(?<Added>\d+)" 
| table PROMOS Added

---

An upvote would be appreciated and Accept solution if this reply helps!

View solution in original post

venkatasri · ‎07-13-2021

Hi @cindygibbs_08 can you try this?

<your_search>
| eval promos_delim=mvjoin(PROMOS,",")
| rex field=promos_delim max_match=0 "(?<Added>\d+)" 
| table PROMOS Added

---

An upvote would be appreciated and Accept solution if this reply helps!

cindygibbs_08 · ‎07-22-2021

@venkatasri the best! 10/10 sorry for the delay

How to extract numbers from multivalue fields

regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!