Splunk Search

Is it possible to create a multivalue field out of fieldnames with a specific pattern

HeinzWaescher
Motivator

Hi,

is it possible to create a multivalue field out of fieldnames with a specific pattern?

Let's say we have several product fields in an event:
productA=20
productB=50
productC=100
...

Can we create a multivalue field that includes all fieldnames that start with "product"?
mv_field={productA productB productC}

Cheers
Heinz

0 Karma

woodcock
Esteemed Legend

Assuming that your original fields are not multi-valued fields, then like this:

index=_*
| stats count by date_second
| eval date_second = "product" . date_second
| head 5
| eval anchor="X"
| xyseries anchor date_second count

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval mvfield=","
| foreach product* [ eval mvfield = mvfield . $<<FIELD>>$ . "," ]
| makemv delim="," mvfield
0 Karma

niketn
Legend

If would be better if you provided some sample events. Based on the details in the question you can try the following rex command with max_match=0. Following is the run-anywhere search:

| makeresults
| eval _raw="productA=20
productB=50
productC=100"
| rex field=_raw "(?<product>product[^=]+)=(?<qty>.*)" max_match=0

Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

HeinzWaescher
Motivator

Here is the part of a sample event. Seems to make a difference

payload: { [-]
consumablesUsed: { [-]
Consumable_Grenade: 0

Consumable_Healthpack: 0
}

So the mv should include every fieldname that starts with payload.consumablesUsed.Consumable_

0 Karma

niketn
Legend

Try the following:

| rex field=_raw "Consumable_(?<product>[^:]+):\s(?<qty>\d+)" max_match=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

Since you have mentioned, payload.consumablesUsed.Consumable_, do you already have JSON data parsed and fields extracted?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

HeinzWaescher
Motivator

yes.
the example mentioned above does not work on my side

0 Karma

niketn
Legend

How about the updated rex command with Consumable_ for pattern matching? I tested with your sample data and it worked for me.

| makeresults
| eval _raw="payload: { 
consumablesUsed: { 
Consumable_Grenade: 0 
Consumable_Healthpack: 0 
}"
|  rex field=_raw "Consumable_(?<product>[^:]+):\s(?<qty>\d+)" max_match=0

However, if you already have JSON fields extracted using KV_MODE, you can try the following in your base search

 <YourBaseSearch>
| table payload.consumablesUsed.Consumable_*
| transpose column_name="product"
| rename "row 1" as quantity
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...