Hi,
is it possible to create a multivalue field out of fieldnames with a specific pattern?
Let's say we have several product fields in an event:
productA=20
productB=50
productC=100
...
Can we create a multivalue field that includes all fieldnames that start with "product"?
mv_field={productA productB productC}
Cheers
Heinz
Assuming that your original fields are not multi-valued fields, then like this:
index=_*
| stats count by date_second
| eval date_second = "product" . date_second
| head 5
| eval anchor="X"
| xyseries anchor date_second count
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval mvfield=","
| foreach product* [ eval mvfield = mvfield . $<<FIELD>>$ . "," ]
| makemv delim="," mvfield
If would be better if you provided some sample events. Based on the details in the question you can try the following rex
command with max_match=0
. Following is the run-anywhere search:
| makeresults
| eval _raw="productA=20
productB=50
productC=100"
| rex field=_raw "(?<product>product[^=]+)=(?<qty>.*)" max_match=0
Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex
Here is the part of a sample event. Seems to make a difference
payload: { [-]
consumablesUsed: { [-]
Consumable_Grenade: 0
Consumable_Healthpack: 0
}
So the mv should include every fieldname that starts with payload.consumablesUsed.Consumable_
Try the following:
| rex field=_raw "Consumable_(?<product>[^:]+):\s(?<qty>\d+)" max_match=0
Since you have mentioned, payload.consumablesUsed.Consumable_, do you already have JSON data parsed and fields extracted?
yes.
the example mentioned above does not work on my side
How about the updated rex command with Consumable_
for pattern matching? I tested with your sample data and it worked for me.
| makeresults
| eval _raw="payload: {
consumablesUsed: {
Consumable_Grenade: 0
Consumable_Healthpack: 0
}"
| rex field=_raw "Consumable_(?<product>[^:]+):\s(?<qty>\d+)" max_match=0
However, if you already have JSON fields extracted using KV_MODE, you can try the following in your base search
<YourBaseSearch>
| table payload.consumablesUsed.Consumable_*
| transpose column_name="product"
| rename "row 1" as quantity