Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split a multivalue field into separate fields?

wgoodwin_splunk
Splunk Employee
Splunk Employee
‎10-28-2016 12:31 PM

I have a customer that is attempting to check a field “Account_Name”. Some of the events have multiple account names in the field. He needs to break them out so that he has two Account_Name entries instead of one with two values. I sent him the following links but they appear to not be working for him:

https://answers.splunk.com/answers/136067/how-split-up-a-string-into-multiple-fields.html

https://answers.splunk.com/answers/345937/how-to-transpose-a-table-to-make-the-values-in-col.html

Below is the search he is conducting:

index=r0*  sourcetype=WinEventLog* (Account_Name=* OR user=* OR User_Name=*)  
| lookup Server_IP_r0a ip as src_ip OUTPUT filter
| search filter=0
| eval Local_Account_Name=upper(coalesce(Account_Name,user,User_Name))
| table Account_Name

Here is a sample of his desired results:

Account_Name
-
Administrator

Notice that the Account_Name field has two entries in it. Sometimes the entries are two names and sometimes it is a “-“ and a name. He wants to take those two entries in one field and split them into one entry in two fields so that Account_Name of “-“ and Administrator becomes Account_Name of “-“ and Account_Name of Administrator so that he can run both names through the same search and lookup commands.

Any suggestions or help would be greatly appreciated. Thank you.

0 Karma
Reply

bshuler_splunk
Splunk Employee
Splunk Employee
‎11-02-2016 01:20 AM 
index=r0*  sourcetype=WinEventLog* (Account_Name=* OR user=* OR User_Name=*)  
 | lookup Server_IP_r0a ip as src_ip OUTPUT filter
 | search filter=0
 | eval Local_Account_Name=upper(coalesce(Account_Name,user,User_Name))
 | table Account_Name
 | eval Account_Name_0 = mvindex(Account_Name, 0)
 | eval Account_Name_1 = mvindex(Account_Name, 1)
 | eval Account_Name_2 = mvindex(Account_Name, 2)
0 Karma
Reply

somesoni2
Revered Legend
‎10-28-2016 01:14 PM

Can we have some sample current output?
And, try this as well

index=r0*  sourcetype=WinEventLog* (Account_Name=* OR user=* OR User_Name=*)  
 | lookup Server_IP_r0a ip as src_ip OUTPUT filter
 | search filter=0
 | eval Local_Account_Name=upper(coalesce(Account_Name,user,User_Name))
 | table Account_Name | makemv Account_Name
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...