Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split a multivalue field into separate fields?

wgoodwin_splunk
Splunk Employee
Splunk Employee
‎10-28-2016 12:31 PM

I have a customer that is attempting to check a field “Account_Name”. Some of the events have multiple account names in the field. He needs to break them out so that he has two Account_Name entries instead of one with two values. I sent him the following links but they appear to not be working for him:

https://answers.splunk.com/answers/136067/how-split-up-a-string-into-multiple-fields.html

https://answers.splunk.com/answers/345937/how-to-transpose-a-table-to-make-the-values-in-col.html

Below is the search he is conducting:

index=r0*  sourcetype=WinEventLog* (Account_Name=* OR user=* OR User_Name=*)  
| lookup Server_IP_r0a ip as src_ip OUTPUT filter
| search filter=0
| eval Local_Account_Name=upper(coalesce(Account_Name,user,User_Name))
| table Account_Name

Here is a sample of his desired results:

Account_Name
-
Administrator

Notice that the Account_Name field has two entries in it. Sometimes the entries are two names and sometimes it is a “-“ and a name. He wants to take those two entries in one field and split them into one entry in two fields so that Account_Name of “-“ and Administrator becomes Account_Name of “-“ and Account_Name of Administrator so that he can run both names through the same search and lookup commands.

Any suggestions or help would be greatly appreciated. Thank you.

0 Karma
Reply

bshuler_splunk
Splunk Employee
Splunk Employee
‎11-02-2016 01:20 AM 
index=r0*  sourcetype=WinEventLog* (Account_Name=* OR user=* OR User_Name=*)  
 | lookup Server_IP_r0a ip as src_ip OUTPUT filter
 | search filter=0
 | eval Local_Account_Name=upper(coalesce(Account_Name,user,User_Name))
 | table Account_Name
 | eval Account_Name_0 = mvindex(Account_Name, 0)
 | eval Account_Name_1 = mvindex(Account_Name, 1)
 | eval Account_Name_2 = mvindex(Account_Name, 2)
0 Karma
Reply

somesoni2
Revered Legend
‎10-28-2016 01:14 PM

Can we have some sample current output?
And, try this as well

index=r0*  sourcetype=WinEventLog* (Account_Name=* OR user=* OR User_Name=*)  
 | lookup Server_IP_r0a ip as src_ip OUTPUT filter
 | search filter=0
 | eval Local_Account_Name=upper(coalesce(Account_Name,user,User_Name))
 | table Account_Name | makemv Account_Name
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...