Parsing mutlivalued field

tbo · ‎12-19-2013

I have two fields, say foo and bar. They both have the same format. An example of the fields could be

foo="{a=3, b=4, c=11}"
bar="{x=1, y=5, z=3}"

I want to parse and use these multivalued fields. That is, I want to be able to extract and use a, b,... and use them in calculations (using eval). Can anyone tell me whether this is even possible, and if it is, how I do it?

If you want to know all of it, what I wish to calculate is this: (a*x + b*y + c*z)/(x + y + z). In the above example, the result of this calculation would be 7.

Oh, and what makes this even more difficult (I think), is that I might actually have more fields, containing say a, b and c. So, there might as well be the field

baz="{a=23, b=1, c=6}"

I'll have to be sure I don't wind up using these values of a, b and c in the calculation.

asimagu · ‎12-19-2013

You have two easy options:

1 - Using inline field extractions. You will need to use the attribute max_match
For example | rex max_match=100 field=foo "........"

2 - Creating the automatic field extractions via the manager:
Create the field extraction ticking the option of "using transform", then create the transform ticking the box where it allows the field to be multivalue

I hope that makes sense, buddy

tbo · ‎12-19-2013

I can't find any of those options ("using transform", or where it's allowed to be multivariate) - where do I find these?

lukejadamec · ‎12-19-2013

Have you tried the Field Extractor?
You can also use rex to extract the fields. Something like:

search foo="*" OR bar="*" OR baz="*" |rex field=foo "(?i).*a=(?P<valueA>\d+),\sb=(?P<valueB>\d+),\sc=(?P<valueC>\d+)\D" |rex field=bar ....and so on

The exact regex will depend on the actual data structure of the fields.

dmaislin_splunk · ‎12-19-2013

Can you also attach a sample of the log?

Parsing mutlivalued field

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!