Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split a field into multiple fields?

Minarai
Explorer
‎03-29-2023 08:58 PM

Hi.

Lets say there are fields named "raw".

The values are like this.

http-header1=value1|http-header2=value2..

Number of HTTP Headers is 1 to 4.

ex)

METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg

I'd like to split this field into multiple fields like this.

field | value
----------------------+--------------
raw_http_header1 | value1
raw_http_header2 | value2

...

ex)

field | value

----------------------+--------------

raw_METHOD | POST

raw_User_Agent | Mozilla

raw_HTTP_CONTENT | img/jpeg

 

...

Notice field name cannot contain "-".

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-01-2023 07:03 AM

raw_User_Agent is null for eventID 2

This is how tables work! You have rows and columns. Where there is a value for the column it is shown for that row. The cell (row x column) doesn't simply disappear if there is not value to be shown, it is just blank.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2023 12:45 AM 
| makeresults
| fields - _time
| eval raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| eval raw=split(raw,"|")
| mvexpand raw
| rex field=raw "(?<field>[^=]+)=(?<value>.*)"
| eval field="raw_".replace(field,"-","_")
Reply
Solved! Jump to solution

Minarai
Explorer
‎03-30-2023 07:15 AM

Thanks a lot!

Sorry to bother you, but is there any way without using mvexpand?

When you use mvexpand, events are created separately,right?

I want add fields to oridinal event.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2023 07:20 AM 
| makeresults
| fields - _time
| eval raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| rex field=raw max_match=0 "(?<field>[^=]+)=(?<value>[^\|]+)\|?"
| eval field=mvmap(field,"raw_".replace(field,"-","_"))
Reply
Solved! Jump to solution

Minarai
Explorer
‎04-01-2023 06:54 AM

Thank you for reply!

What I showed you as example was not good.

 

There are events like this.

index=index_main
| table eventID,raw
eventIDraw
1METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg
2METHOD=GET|Referer=http://192.168.0.1
3METHOD=POST|X-Forwarded-For=10.0.0.1|User-Agent=Firefox


The wanted result is like this.
I want to create new field which name is related http header.

eventID2 does not have User-Agent Header, so you do not add raw_User_Agent field.

...
| table eventID,raw*
eventIDrawraw_METHODraw_User_Agentraw_HTTP_CONTENTraw_Refererraw_X_Forwarded_For
1METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpegPOSTMozillaimg/jpeg  
2METHOD=GET|Referer=http://192.168.0.1GET  http://192.168.0.1 
3METHOD=POST|X-Forwarded-For=10.0.0.1|User-Agent=FirefoxPOSTFirefox  10.0.0.1
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-01-2023 07:03 AM

raw_User_Agent is null for eventID 2

This is how tables work! You have rows and columns. Where there is a value for the column it is shown for that row. The cell (row x column) doesn't simply disappear if there is not value to be shown, it is just blank.

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-29-2023 09:07 PM

Did you want something like this

| makeresults
| fields - _time
| eval _raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| extract
| fields - _kv _raw
| transpose 0 column_name="field"
| eval field="raw_".field
| rename "row 1" as value

which from the "extract" will create the field/value pairs and make two columns field and value

or did you want a single piece of text with the value separated with a pipe symbol

 

Reply
Solved! Jump to solution

Minarai
Explorer
‎03-29-2023 10:43 PM

Thanks for your reply.

What you showed was really good,

but I want add these fields to search result by using eval command or something.

ex

I want add "rawdata_method" field whose value is "POST".

 

Regards

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-29-2023 09:10 PM

i.e. this variant

| makeresults
| fields - _time
| eval _raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| rex field=_raw max_match=0 "(?<field>[^|]*)\|?"
| mvexpand field
| eval field="raw_".replace(field, "=", "|")
| fields - _raw
0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top