Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Split 2 fields into each rows

Annna
Explorer
‎02-27-2021 10:25 PM

Annna_0-1614493032347.png

How to have split, i tired many ways but its coming out.

Output:

ABC
288136957166871812
288137548162919303
288137548269101805
288137548384124302
488136313166871812
488136313265252707
488136313365602005
488136313469101805

 

Thanks for the help.

Labels (1)
Labels
0 Karma
Reply

tread_splunk
Splunk Employee
Splunk Employee
‎03-02-2021 07:55 AM 
| makeresults 
| eval _raw="
A         B          C                          D
288813    1          45456                      car
388812    1|2|3|4    45456|12312|78978|12454    car|Rose|Toy|Bus
484784    1|2|3      12312|78978|12454          Rose|Toy|Bus" 
| multikv forceheader=1 
| fields - _time _raw linecount 
| eval B=split(B,"|"), C=split(C,"|"), D=split(D,"|") 
| eval E=mvzip(B,mvzip(C,D))
0 Karma
Reply

gcusello
Esteemed Legend
‎02-28-2021 01:33 AM

Hi @Annna,

at first you could find a different way to aggregate data using the thats command, so instead to use

| stats values(B) AS B values(C) AS C BY A

you could use something like this:

| stats BY A B C

If this is non acceptable for you, you have to use the the mvexpand command to denormalize your table.

when you have only one field to denormalize it's easy :

| stats values(B) AS B values(C) AS C BY A 
| mvexpand B

The problem is when you have two or more fields multivalue (as your case) because the order could be different than the real pair fieldB/fieldC.

So you have to aggregate B and C before stats and then split after:

| eval temp=B."|".C
| stats values(temp) AS temp BY A 
| mvexpand temp
| rex field=temp "^(?<B>\d+)\|(?<C>\d+)"
| table A B C

Ciao.

Giuseppe

0 Karma
Reply

Annna
Explorer
‎03-02-2021 06:22 AM

If the data be like this 

ABCD
288813145456car
3888121
2
3
4
45456
12312
78978
12454		car
Rose
Toy
Bus
4847841
2
3		12312
78978
12454		Rose
Toy
Bus

IN above scenario how it works split for the rows.

output be like:

ABCD
288813145456car
388812145456car 
388812212312Rose
388812378978Toy
388812412454Bus
484784112312Rose
484784278978Toy
484784312454Bus
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2021 06:59 AM

It depends on whether you have access to the data before it is put into multi-value fields

| eval temp=B."|".C."|".D
| stats values(temp) AS temp BY A 
| mvexpand temp
| rex field=temp "^(?<B>[^\|]+)\|(?<C>[^\|]+)\|(?<D>[^\|]+)"
| table A B C D

If you don't, it depends if which version of splunk you are using and whether mvzip is available to you

| eval temp=mvzip(mvzip(B, C, "|"),D, "|")
| fields - B C D
| mvexpand temp
| rex field=temp "^(?<B>[^\|]+)\|(?<C>[^\|]+)\|(?<D>[^\|]+)"
| table A B C D

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti &#x1f389; —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...