Splunk Search

Splitting a multi-valued field

jaterlwj
Explorer

I was wondering if there's any possible way to split up a multi-valued field using Splunk.

For example. I have field called "classifications" and it looks like this.

classifications = 1;2;3;4;5;6

Is there any way to split it so that when I search "classifications=2" it would understand and show accordingly?

Thanks in advance!

Tags (1)
0 Karma

cmerriman
Super Champion

I run into this problem and have a rough work around. I have to create an mv field using values for a paticular reason, and then match a substring of that value to another field.

...|stats values(field) as fieldname by sourcetype 
| nomv fieldname
|rex mode=sed field=fieldname "s/ /,/g"
|rex mode=sed field=fieldname "s/^/,/"
|rex mode=sed field=fieldname "s/$/,/" 
|eval match=if(isnotnull(match(fieldname,",".matchfield.","),1,0) 

I realize this isn't EXACTLY what you need to do, but it might help start you off. I did a nomv to get it into one row and then replaced my spaces with commas, however it looks like you're already ; delimited so you're a few steps ahead of me. You might be able to get by with just doing something along the lines of

...|eval match=if(isnotnull(match(fieldname,";".2.";"),1,0) |search match=1
0 Karma

melonman
Motivator

I am not sure if this is good solution for you, but I had a similar situation where I needed to get the splitted values from multivalued fields.

Basicly the way to split the multivalued field was the same as the one posted by csharp_splunk.
This was how I tested and is messy, but it worked.

* | head 1 | eval classifications = "1;2;3;4;5;6" | makemv delim=";" classifications | top classifications | fields classifications | search classifications=2

This returns 2 only.

The part:

* | head 1 | eval classifications = "1;2;3;4;5;6"

is just to create dummy fields...

0 Karma

rps462
Path Finder

I have a field that has: value1,value2,value3. I was using split: split_value=split(field, ",")

Afterwards, however, I was not able to search on just one of the items. My search string:

| eval values=split(field, ",") | search values=foo**
This search would show all of the results of values, instead of just foo.

Using the makemv delim method, it works. Weird ...

0 Karma

rps462
Path Finder

pfft .. nevermind, it does the same thing - this is driving me crazy. I cannot restrict the search to certain elements of a field after a split.

0 Karma

jaterlwj
Explorer

I'm not sure what am I missing.. Similar to csharp_splunk's method. I can't get it to work properly.

My records usually either starts with a 0(0;1;2;3) or 2(2;3;4;5) etc.

So after splitting, when I tried to list them out using stats count classifications. They only showed 0 and 2.

Is it normal? I can't seem to search for values either.

0 Karma

csharp_splunk
Splunk Employee
Splunk Employee

Easy.

<whatever search> | eval splitted=split(classifications, ";") | search splitted=<value>

Substitute field names as you see fit.

jaterlwj
Explorer

I'm sorry, I lost you there. By left-hand side inspector, do you mean the search terms?

0 Karma

gokadroid
Motivator

the left hand side inspector i suppose is the side panel where all interesting and extracted fields show up.

0 Karma

jrodman
Splunk Employee
Splunk Employee

I'd use the left-hand side inspector to show the values of splitted in results, to get a better idea the behavior you're getting.

0 Karma

jaterlwj
Explorer

Hi. Thanks for your prompt reply!
I have tried to replace the with 1 but it does not return any results. Is there anything I'm missing? I am assuming it's just 1 and not "1" or <1> for the values at the moment!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...