Solved: Re: How to extract numbers from multivalue fields

cindygibbs_08 · ‎07-13-2021

Hello Guys I have a sort of quick question that has been challanging me.

I use this SPL to extract some info

| stats values(*) as * by CLIENTE_OUTPOST

Sometimes I use list sometimes I use values... and I want to be able to extract all values in the multivalue field "PROMOS" in a new field called "ADDED" this is an example:

from this:

CLIENT_OUTPOST	PROMOS	DATE	VOUCHER
LIZZA_90	UIK_IO 87585 A_IDYD 78545 10584	18-05-2021	XX-PO-89

I want this:

CLIENT_OUTPOST	PROMOS	DATE	VOUCHER	ADDED
LIZZA_90	UIK_IO 87585 A_IDYD 78545 10584	18-05-2021	XX-PO-89	87585 78545 10584

I will be so thankfull if you can help me out, just for reference I will eaither have strings with characters or strings that are numbers... but i have tried mvfilter, rex without any luck thank you so much guys!

Love,

Cindy

venkatasri · ‎07-13-2021

Hi @cindygibbs_08 can you try this?

<your_search>
| eval promos_delim=mvjoin(PROMOS,",")
| rex field=promos_delim max_match=0 "(?<Added>\d+)" 
| table PROMOS Added

---

An upvote would be appreciated and Accept solution if this reply helps!

View solution in original post

venkatasri · ‎07-13-2021

Hi @cindygibbs_08 can you try this?

<your_search>
| eval promos_delim=mvjoin(PROMOS,",")
| rex field=promos_delim max_match=0 "(?<Added>\d+)" 
| table PROMOS Added

---

An upvote would be appreciated and Accept solution if this reply helps!

cindygibbs_08 · ‎07-22-2021

@venkatasri the best! 10/10 sorry for the delay

How to extract numbers from multivalue fields

regex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?