Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multi Valued Field Help

ghostdog920
Path Finder
‎05-02-2019 08:17 AM

I have looked at a ton of posts about breaking a multivalued field but having zero luck effecting a solution. I have a csv file that i have imported into splunk. In one of the fields, it contains data like this:

Subject Name: Country: US State/Province: Virginia Locality: Glen Allen

I thought i could do field extractions to turn things like Country: into a field with the value of US, but no luck. I have looked at eval, split, regex, and mvexpand but can't seem to get the right combo/syntax to do what i want. Can someone lend me their expertise in resolving?

Ideally once i break this field up into its individual pieces i want to create a dashboard that check one of them and ties it to all its records. Worry for another day if i can't break up the field.

0 Karma
Reply

Sukisen1981
Champion
‎05-02-2019 10:03 AM

it should be visible in the left hand side or append |table Country,State,Locality
Are you able to see those values in a table now?

0 Karma
Reply

Sukisen1981
Champion
‎05-02-2019 09:37 AM

This is a bit unclear, assuming you extract the country value from the example you have shown above into a new field using rex ,let's call it cntry. Now, for each column of the CSV having this field you should get your values for cntry.
Can you elaborate a bit more?

0 Karma
Reply

ghostdog920
Path Finder
‎05-02-2019 09:53 AM

Can definitely elaborate. Basically we are using Nessus to scan the environment for SSL certificates with the idea of creating a report to identify certs that will be expiring. So the output from nessus is say 10 columns (what i am calling fields) comma delimited that Splunk picks up on. Unfortunately one of those columns houses the elements that individually house about 10 attributes i really want to pull out as fields. I.E. Subject Name:, Common Name:, Country:, State/province:, Issue Date:, etc.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...