Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Split 2 fields into each rows

Annna
Explorer
‎02-27-2021 10:25 PM

Annna_0-1614493032347.png

How to have split, i tired many ways but its coming out.

Output:

ABC
288136957166871812
288137548162919303
288137548269101805
288137548384124302
488136313166871812
488136313265252707
488136313365602005
488136313469101805

 

Thanks for the help.

0 Karma
Reply

tread_splunk
Splunk Employee
Splunk Employee
‎03-02-2021 07:55 AM 
| makeresults 
| eval _raw="
A         B          C                          D
288813    1          45456                      car
388812    1|2|3|4    45456|12312|78978|12454    car|Rose|Toy|Bus
484784    1|2|3      12312|78978|12454          Rose|Toy|Bus" 
| multikv forceheader=1 
| fields - _time _raw linecount 
| eval B=split(B,"|"), C=split(C,"|"), D=split(D,"|") 
| eval E=mvzip(B,mvzip(C,D))
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-28-2021 01:33 AM

Hi @Annna,

at first you could find a different way to aggregate data using the thats command, so instead to use

| stats values(B) AS B values(C) AS C BY A

you could use something like this:

| stats BY A B C

If this is non acceptable for you, you have to use the the mvexpand command to denormalize your table.

when you have only one field to denormalize it's easy :

| stats values(B) AS B values(C) AS C BY A 
| mvexpand B

The problem is when you have two or more fields multivalue (as your case) because the order could be different than the real pair fieldB/fieldC.

So you have to aggregate B and C before stats and then split after:

| eval temp=B."|".C
| stats values(temp) AS temp BY A 
| mvexpand temp
| rex field=temp "^(?<B>\d+)\|(?<C>\d+)"
| table A B C

Ciao.

Giuseppe

0 Karma
Reply

Annna
Explorer
‎03-02-2021 06:22 AM

If the data be like this 

ABCD
288813145456car
3888121
2
3
4
45456
12312
78978
12454		car
Rose
Toy
Bus
4847841
2
3		12312
78978
12454		Rose
Toy
Bus

IN above scenario how it works split for the rows.

output be like:

ABCD
288813145456car
388812145456car 
388812212312Rose
388812378978Toy
388812412454Bus
484784112312Rose
484784278978Toy
484784312454Bus
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2021 06:59 AM

It depends on whether you have access to the data before it is put into multi-value fields

| eval temp=B."|".C."|".D
| stats values(temp) AS temp BY A 
| mvexpand temp
| rex field=temp "^(?<B>[^\|]+)\|(?<C>[^\|]+)\|(?<D>[^\|]+)"
| table A B C D

If you don't, it depends if which version of splunk you are using and whether mvzip is available to you

| eval temp=mvzip(mvzip(B, C, "|"),D, "|")
| fields - B C D
| mvexpand temp
| rex field=temp "^(?<B>[^\|]+)\|(?<C>[^\|]+)\|(?<D>[^\|]+)"
| table A B C D

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...