Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPL: Use regex replacement string multiple times

_Tom
Explorer
‎10-27-2021 01:57 AM

Hello *,

I am looking for an SPL that reads the first part of a string via regex and replaces all occurrences of a certain character with this first part. This is to be used for summary indexing. 

Example:

 

1;A__B
2;B__C__D__A__E
3;G

 

is to be transformed into (each line will become a value in a multivalue field):

 

1;A
1;B
2;B
2;C
2;D
2;A
2;E
3;G

 

Neither replace nor rex seem to be able to afford multiple replacements of this kind. I also tried foreach with some field extractions but failed. Before I write a custom search command for it, I hope for your ideas to solve the problem with some clever standard SPL.  

Thank you in advance for your thoughts!

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2021 02:11 AM 
| makeresults
| eval _raw="1;A__B
2;B__C__D__A__E
3;G"
| multikv noheader=t
| table _raw




| eval first=mvindex(split(_raw,";"),0)
| eval second=split(mvindex(split(_raw,";"),1),"_")
| mvexpand second
| where second!=""
| eval _raw=first.";".second

View solution in original post

Reply
Solved! Jump to solution

_Tom
Explorer
‎10-28-2021 09:03 AM

 

 

Hello @ITWhisperer,

thank you very much for the quick answer, which helped a lot. We need to do the transformation for multiple fields within a complex query. Therefore, the solution had to be adapted somewhat: 

| makeresults 
| eval fieldname1="1;A__B
2;B__C__D__A__E
3;G"
| eval other_fields_1="other_content"

| eval tmp_raw = _raw
| eval _raw=fieldname1 ``` temporarily overwriting _raw with the field value ```
| multikv noheader=t
| table _raw *other_fields* ``` to keep the fields which we still need ```
| eval first=mvindex(split(_raw,";"),0)
| eval second=split(mvindex(split(_raw,";"),1),"__")
| mvexpand second
| eval _raw=first.";".second
| rename _raw as fieldname1
| fields  - first,second
| mvcombine delim="\n" fieldname1 ``` to get a multivalue field ```
| eval _raw = tmp_raw
| table *

Is there a better solution than overwriting _raw with the field value? I also was surprised that creating a multikv.conf file seems not to be required, as it autodetects semicolon as the separator and ignores the underlines.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-29-2021 04:31 AM

You could try rename _raw as tmp_raw and fieldname1 as _raw rather the two assignments but, this is as good a way as any to get multikv to work.

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2021 02:11 AM 
| makeresults
| eval _raw="1;A__B
2;B__C__D__A__E
3;G"
| multikv noheader=t
| table _raw




| eval first=mvindex(split(_raw,";"),0)
| eval second=split(mvindex(split(_raw,";"),1),"_")
| mvexpand second
| where second!=""
| eval _raw=first.";".second
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...