Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parsing mutlivalued field

tbo
Explorer
‎12-19-2013 06:38 AM

I have two fields, say foo and bar. They both have the same format. An example of the fields could be

foo="{a=3, b=4, c=11}"
bar="{x=1, y=5, z=3}"

I want to parse and use these multivalued fields. That is, I want to be able to extract and use a, b,... and use them in calculations (using eval). Can anyone tell me whether this is even possible, and if it is, how I do it?

If you want to know all of it, what I wish to calculate is this: (a*x + b*y + c*z)/(x + y + z). In the above example, the result of this calculation would be 7.

Oh, and what makes this even more difficult (I think), is that I might actually have more fields, containing say a, b and c. So, there might as well be the field

baz="{a=23, b=1, c=6}"

I'll have to be sure I don't wind up using these values of a, b and c in the calculation.

Tags (1)
0 Karma
Reply

asimagu
Builder
‎12-19-2013 12:45 PM

You have two easy options:

1 - Using inline field extractions. You will need to use the attribute max_match
For example | rex max_match=100 field=foo "........"

2 - Creating the automatic field extractions via the manager:
Create the field extraction ticking the option of "using transform", then create the transform ticking the box where it allows the field to be multivalue

I hope that makes sense, buddy

0 Karma
Reply

tbo
Explorer
‎12-19-2013 11:01 PM

I can't find any of those options ("using transform", or where it's allowed to be multivariate) - where do I find these?

0 Karma
Reply

lukejadamec
Super Champion
‎12-19-2013 07:29 AM

Have you tried the Field Extractor?
You can also use rex to extract the fields. Something like:

search foo="*" OR bar="*" OR baz="*" |rex field=foo "(?i).*a=(?P<valueA>\d+),\sb=(?P<valueB>\d+),\sc=(?P<valueC>\d+)\D" |rex field=bar ....and so on

The exact regex will depend on the actual data structure of the fields.

Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 07:13 AM

Can you also attach a sample of the log?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...