Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parsing mutlivalued field

tbo
Explorer
‎12-19-2013 06:38 AM

I have two fields, say foo and bar. They both have the same format. An example of the fields could be

foo="{a=3, b=4, c=11}"
bar="{x=1, y=5, z=3}"

I want to parse and use these multivalued fields. That is, I want to be able to extract and use a, b,... and use them in calculations (using eval). Can anyone tell me whether this is even possible, and if it is, how I do it?

If you want to know all of it, what I wish to calculate is this: (a*x + b*y + c*z)/(x + y + z). In the above example, the result of this calculation would be 7.

Oh, and what makes this even more difficult (I think), is that I might actually have more fields, containing say a, b and c. So, there might as well be the field

baz="{a=23, b=1, c=6}"

I'll have to be sure I don't wind up using these values of a, b and c in the calculation.

Tags (1)
0 Karma
Reply

asimagu
Builder
‎12-19-2013 12:45 PM

You have two easy options:

1 - Using inline field extractions. You will need to use the attribute max_match
For example | rex max_match=100 field=foo "........"

2 - Creating the automatic field extractions via the manager:
Create the field extraction ticking the option of "using transform", then create the transform ticking the box where it allows the field to be multivalue

I hope that makes sense, buddy

0 Karma
Reply

tbo
Explorer
‎12-19-2013 11:01 PM

I can't find any of those options ("using transform", or where it's allowed to be multivariate) - where do I find these?

0 Karma
Reply

lukejadamec
Super Champion
‎12-19-2013 07:29 AM

Have you tried the Field Extractor?
You can also use rex to extract the fields. Something like:

search foo="*" OR bar="*" OR baz="*" |rex field=foo "(?i).*a=(?P<valueA>\d+),\sb=(?P<valueB>\d+),\sc=(?P<valueC>\d+)\D" |rex field=bar ....and so on

The exact regex will depend on the actual data structure of the fields.

Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 07:13 AM

Can you also attach a sample of the log?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...