Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Parsing mutlivalued field

tbo
Explorer
‎12-19-2013 06:38 AM

I have two fields, say foo and bar. They both have the same format. An example of the fields could be

foo="{a=3, b=4, c=11}"
bar="{x=1, y=5, z=3}"

I want to parse and use these multivalued fields. That is, I want to be able to extract and use a, b,... and use them in calculations (using eval). Can anyone tell me whether this is even possible, and if it is, how I do it?

If you want to know all of it, what I wish to calculate is this: (a*x + b*y + c*z)/(x + y + z). In the above example, the result of this calculation would be 7.

Oh, and what makes this even more difficult (I think), is that I might actually have more fields, containing say a, b and c. So, there might as well be the field

baz="{a=23, b=1, c=6}"

I'll have to be sure I don't wind up using these values of a, b and c in the calculation.

Tags (1)
0 Karma
Reply

asimagu
Builder
‎12-19-2013 12:45 PM

You have two easy options:

1 - Using inline field extractions. You will need to use the attribute max_match
For example | rex max_match=100 field=foo "........"

2 - Creating the automatic field extractions via the manager:
Create the field extraction ticking the option of "using transform", then create the transform ticking the box where it allows the field to be multivalue

I hope that makes sense, buddy

0 Karma
Reply

tbo
Explorer
‎12-19-2013 11:01 PM

I can't find any of those options ("using transform", or where it's allowed to be multivariate) - where do I find these?

0 Karma
Reply

lukejadamec
Super Champion
‎12-19-2013 07:29 AM

Have you tried the Field Extractor?
You can also use rex to extract the fields. Something like:

search foo="*" OR bar="*" OR baz="*" |rex field=foo "(?i).*a=(?P<valueA>\d+),\sb=(?P<valueB>\d+),\sc=(?P<valueC>\d+)\D" |rex field=bar ....and so on

The exact regex will depend on the actual data structure of the fields.

Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 07:13 AM

Can you also attach a sample of the log?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...