Splunk Search

How to split a field into multiple fields?

Minarai
Explorer

Hi.

Lets say there are fields named "raw".

The values are like this.

http-header1=value1|http-header2=value2..

Number of HTTP Headers is 1 to 4.

ex)

METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg

I'd like to split this field into multiple fields like this.

field | value
----------------------+--------------
raw_http_header1 | value1
raw_http_header2 | value2

...

ex)

field | value

----------------------+--------------

raw_METHOD | POST

raw_User_Agent | Mozilla

raw_HTTP_CONTENT | img/jpeg

 

...

Notice field name cannot contain "-".

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

raw_User_Agent is null for eventID 2

This is how tables work! You have rows and columns. Where there is a value for the column it is shown for that row. The cell (row x column) doesn't simply disappear if there is not value to be shown, it is just blank.

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| fields - _time
| eval raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| eval raw=split(raw,"|")
| mvexpand raw
| rex field=raw "(?<field>[^=]+)=(?<value>.*)"
| eval field="raw_".replace(field,"-","_")

Minarai
Explorer

Thanks a lot!

Sorry to bother you, but is there any way without using mvexpand?

When you use mvexpand, events are created separately,right?

I want add fields to oridinal event.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| fields - _time
| eval raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| rex field=raw max_match=0 "(?<field>[^=]+)=(?<value>[^\|]+)\|?"
| eval field=mvmap(field,"raw_".replace(field,"-","_"))

Minarai
Explorer

Thank you for reply!

What I showed you as example was not good.

 

There are events like this.

index=index_main
| table eventID,raw
eventIDraw
1METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg
2METHOD=GET|Referer=http://192.168.0.1
3METHOD=POST|X-Forwarded-For=10.0.0.1|User-Agent=Firefox


The wanted result is like this.
I want to create new field which name is related http header.

eventID2 does not have User-Agent Header, so you do not add raw_User_Agent field.

...
| table eventID,raw*
eventIDrawraw_METHODraw_User_Agentraw_HTTP_CONTENTraw_Refererraw_X_Forwarded_For
1METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpegPOSTMozillaimg/jpeg  
2METHOD=GET|Referer=http://192.168.0.1GET  http://192.168.0.1 
3METHOD=POST|X-Forwarded-For=10.0.0.1|User-Agent=FirefoxPOSTFirefox  10.0.0.1
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

raw_User_Agent is null for eventID 2

This is how tables work! You have rows and columns. Where there is a value for the column it is shown for that row. The cell (row x column) doesn't simply disappear if there is not value to be shown, it is just blank.

bowesmana
SplunkTrust
SplunkTrust

Did you want something like this

| makeresults
| fields - _time
| eval _raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| extract
| fields - _kv _raw
| transpose 0 column_name="field"
| eval field="raw_".field
| rename "row 1" as value

which from the "extract" will create the field/value pairs and make two columns field and value

or did you want a single piece of text with the value separated with a pipe symbol

 

Minarai
Explorer

Thanks for your reply.

What you showed was really good,

but I want add these fields to search result by using eval command or something.

ex

I want add "rawdata_method" field whose value is "POST".

 

Regards

0 Karma

bowesmana
SplunkTrust
SplunkTrust

i.e. this variant

| makeresults
| fields - _time
| eval _raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| rex field=_raw max_match=0 "(?<field>[^|]*)\|?"
| mvexpand field
| eval field="raw_".replace(field, "=", "|")
| fields - _raw
0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...