Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I'm trying to move fields from multi value fields using mvindex. Currently under "time" field I have only 3 values so i am easily moving them as new field. Is there anyway to automate this process without hard coding it?

praneeth2050
Explorer
‎01-14-2020 08:38 AM

time = 9:30
10:30
11:30
Currently I am doing this
| eval first.time=mvindex(time, 1), second.time=mvindex(time, 2), third.time=mvindex(time, 3)

This will give me first.time = 9:30, second.time= 10:30, third.time=11:30 fields moved from time field where it is a multivalued field. If i have undefined number of fields under this what should I do to automate it? instead of hardcoding it like | eval first.time=mvindex(time, 1), second.time=mvindex(time, 2), third.time=mvindex(time, 3) fourth.time=mvindex(time,4)............hundred.time=mvindex(time,100)

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2020 05:44 AM 
| makeresults count=100
| streamstats current=f count
| eval time = (random() % 23).":30"
| stats list(time) as time
`comment("this is sample data, please check this")`
| eval counter=mvrange(0,mvcount(time))
| stats list(time) as time by counter
| eval time=mvindex(time,counter)
| sort 0 counter
| transpose 0 header_field=counter column_name=_col
| foreach *
    [rename <<FIELD>> as time_<<MATCHSTR>>]

Hi, @praneeth2050
It's a boring name, but it works.

0 Karma
Reply

jpolvino
Builder
‎01-14-2020 10:06 AM

What is the problem are you trying to solve? Creating many fields like this is rarely a good idea.

0 Karma
Reply

praneeth2050
Explorer
‎01-15-2020 05:00 AM

@niketnilay is it possible to help me out here?

0 Karma
Reply

praneeth2050
Explorer
‎01-14-2020 10:20 AM

So, I am trying to create a Splunk report with the changes in time and changes in other fields. The data I receive will have multiple time fields. For now i have only 3 time fields. In the future, I may even have 10 or 20-time fields... In the case of hardcoding using mvindex is there any alternative?

PS: I have extracted this multivalued field using REGEX

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...