Solved: How to split multivalue fields after lookup?

skiourus · ‎11-02-2017

Hello after a search like this:

index=myindex|lookup mycsv.csv host_ip

I have the following output:

I would like to make it looks like this

assuming that the criticity is unique per host_ip regardless the number of time it appears.

Any help is welcome thanks.

kamlesh_vaghela · ‎11-02-2017

Hi
Can you please try below search??

YOUR_SEARCH
| eval tempField=mvzip(mvzip(host_ip,branch),criticity)
| stats count by _time, tempField 
| eval host_ip=mvindex(split(tempField,","),0), 
    branch=mvindex(split(tempField,","),1),
    criticity=mvindex(split(tempField,","),2)

Thanks

View solution in original post

skiourus · ‎11-08-2017

Thank you all for your solutions.

I finally solved it by this command

index=myindex 
| lookup mycsv.csv host_ip
| stats count by host_ip,branch,criticity
| fields -count

it is time consuming but it does the job!

somesoni2 · ‎11-02-2017

Try this

index=myindex|lookup mycsv.csv host_ip
| mvexpand branch | eval criticity=mvdedup(criticity)

kamlesh_vaghela · ‎11-02-2017

Hi
Can you please try below search??

YOUR_SEARCH
| eval tempField=mvzip(mvzip(host_ip,branch),criticity)
| stats count by _time, tempField 
| eval host_ip=mvindex(split(tempField,","),0), 
    branch=mvindex(split(tempField,","),1),
    criticity=mvindex(split(tempField,","),2)

Thanks

elliotproebstel · ‎11-02-2017

I think mvexpand should do what you need. Here's some documentation on it:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Mvexpand

Try adding this to the end of your query:
| mvexpand branch

How to split multivalue fields after lookup?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases