Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract pipe separated subfields from a field?

lewix
New Member
‎10-22-2014 04:17 AM

Hi,
I have a index with a field named PARAMS.
This field has a content valued by subfields pipe separated.

Example:
PARAMS= mySubField1|mySubField2|mysubField3|......|mySubFieldN

Unfortunately Splunk doesn't correctly index this field (PARAMS) but in search app shows only the first subfield (mySubField1).
Even if i try to search other subfields (mySubField2, mySubField3, etc) Splunk return nothing.

Example:
_raw = PARAMS= mySubField1|mySubField2|mysubField3|......|mySubFieldN
but Splunk only shows mySubField1
event if i try in search PARAMS=mySubField2 Splunk returns nothing.

Anybody can help me please or suggest me a workaround?

Thank you!
Lewix

0 Karma
Reply

marcoscala
Builder
‎12-01-2014 02:30 AM

Hi,
I suggest you to check this document section:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Parsemultivaluefields

As you can see, I think that one simple solution could be to use "makemv" command, like this:

sourcetype=buonopasto  CMD=noop| makemv delim="|" PARAMS

that works in the simple scenario where you just have one separator (the PIPE char). It this works for you at least in that case, you can then work on a "append" of two searches, like this:

sourcetype=buonopasto  CMD=noop| makemv delim="|" PARAMS | append [search sourcetype=buonopasto  CMD=puttrans| makemv delim=" " PARAMS ]

Hope it helps,

Marco

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-22-2014 03:27 PM

You can create a DELIMS based extraction (transforms.conf) to extract the subfields:

[your\_transform\_rule]
SOURCE\_KEY = PARAMS
DELIMS = "|"
FIELDS = mysubfield1, mysubfield2, ..., mysubfieldN

Then, you'd call that rule from the props of your sourcetype, like this:

[your\_sourcetype]
REPORT-subfields = your\_transform\_rule
0 Karma
Reply

lewix
New Member
‎10-24-2014 01:27 AM

Hi,
thank you for your help but it seems not working.

I show you what i did, maybe something is wrong

  • In /opt/splunk/etc/apps/dbx/default/transforms.conf I added these lines
    [ethconnector_rule]
    SOURCE_KEY = PARAMS
    DELIMS = "|"
    FIELDS = PARAMS_FIELD1,PARAMS_FIELD2,PARAMS_FIELD3,PARAMS_FIELD4,PARAMS_FIELD5,PARAMS_FIELD6,PARAMS_FIELD7,PARAMS_FIELD8,PARAMS_FIELD9,PARAMS_FIELD10,PARAMS_FIELD11,PARAMS_FIELD12,PARAMS_FIELD13

  • In /opt/splunk/etc/apps/dbx/default/props.conf I added these lines (buonopasto is my database-input sourcetype)

[buonopasto]
REPORT-subfields = ethconnector_rule

  • I restarted splunk but new fields (PARAMS_FIELD1,...., PARAMS_FIELD12,PARAMS_FIELD13) do not appear in splunk search

Last info: PARAMS, as I said before, is pipe separated in subfields, but not always. There is another field that determines how PARAMS is separated.
Example:
if CMD==puttrans then PARAMS=PARAMS_FIELD1|...|PARAMS_FIELD12|PARAMS_FIELD13
if CMD==noop then PARAMS=field1 field2 field3

Maybe can this be the issue?

Thank you again.
Lewix

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...