Splunk Search
Highlighted

Joining 2 Multivalue fields to generate new field value combinations

Contributor

I'm working with some json data that contains 1 field with a list of keys and 1 field with a list of values. These pairs may change event to event, but item 1 in field 1 will always align with item 1 in field 2. So I'd like to join these together so that I get a field name of field1value1 with the data of field2value1.

A sample of where I am right now in this:

| makeresults count=1
| eval event.key="email,user,event_id,state"
| eval event.values="user@acme.corp,Jon Smith,1234,Open"
| makemv delim="," event.key
| makemv delim="," event.values
|eval keyjoin=mvzip('event.key','event.values')
| mvexpand keyjoin

So this will properly join the data into the field keyjoin, but now I have to take out the first value in it to be the field name and the second to be the field value. Any advice?

Edit:
The desired end state would be the ability to add further search criteria after formatting the data. This is going to drive several panels, so obviously more than that, but if I can get to that stats, then I can go from there. Just need to solve for MISSING SPL HERE

| makeresults count=1
| eval event.key="email,user,event_id,state"
| eval event.values="user@acme.corp,Jon Smith,1234,Open"
| makemv delim="," event.key
| makemv delim="," event.values
|eval keyjoin=mvzip('event.key','event.values')
| mvexpand keyjoin
| **MISSING SPL HERE**
| stats count by state, user
0 Karma
Highlighted

Re: Joining 2 Multivalue fields to generate new field value combinations

SplunkTrust
SplunkTrust

There is an example of this in the Docs. See Example 3 under mvexpand in the Search Reference manual (https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Mvexpand#Examples).

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Joining 2 Multivalue fields to generate new field value combinations

Contributor

Sorry if I wasn't clear. Ultimately I would like to be able to do further conditionals in the search, so I need to be able to do something like | stats count by state. So state must be a fieldname with the value Open.

0 Karma
Highlighted

Re: Joining 2 Multivalue fields to generate new field value combinations

Contributor

I finally figured out the solution here:

| makeresults count=1
 | eval event.key="email,user,event_id,state"
 | eval event.values="user@acme.corp,Jon Smith,1234,Open"
 | makemv delim="," event.key
 | makemv delim="," event.values
 |eval keyjoin=mvzip('event.key','event.values')
 | mvexpand keyjoin
 | rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
 | eval {key} = value
 | stats count by state

View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.