Splunk Search

Splitting a multi-valued field

Explorer

I was wondering if there's any possible way to split up a multi-valued field using Splunk.

For example. I have field called "classifications" and it looks like this.

classifications = 1;2;3;4;5;6

Is there any way to split it so that when I search "classifications=2" it would understand and show accordingly?

Thanks in advance!

Tags (1)
0 Karma

Super Champion

I run into this problem and have a rough work around. I have to create an mv field using values for a paticular reason, and then match a substring of that value to another field.

...|stats values(field) as fieldname by sourcetype 
| nomv fieldname
|rex mode=sed field=fieldname "s/ /,/g"
|rex mode=sed field=fieldname "s/^/,/"
|rex mode=sed field=fieldname "s/$/,/" 
|eval match=if(isnotnull(match(fieldname,",".matchfield.","),1,0) 

I realize this isn't EXACTLY what you need to do, but it might help start you off. I did a nomv to get it into one row and then replaced my spaces with commas, however it looks like you're already ; delimited so you're a few steps ahead of me. You might be able to get by with just doing something along the lines of

...|eval match=if(isnotnull(match(fieldname,";".2.";"),1,0) |search match=1
0 Karma

Motivator

I am not sure if this is good solution for you, but I had a similar situation where I needed to get the splitted values from multivalued fields.

Basicly the way to split the multivalued field was the same as the one posted by csharp_splunk.
This was how I tested and is messy, but it worked.

* | head 1 | eval classifications = "1;2;3;4;5;6" | makemv delim=";" classifications | top classifications | fields classifications | search classifications=2

This returns 2 only.

The part:

* | head 1 | eval classifications = "1;2;3;4;5;6"

is just to create dummy fields...

0 Karma

Explorer

I have a field that has: value1,value2,value3. I was using split: split_value=split(field, ",")

Afterwards, however, I was not able to search on just one of the items. My search string:

| eval values=split(field, ",") | search values=foo**
This search would show all of the results of values, instead of just foo.

Using the makemv delim method, it works. Weird ...

0 Karma

Explorer

pfft .. nevermind, it does the same thing - this is driving me crazy. I cannot restrict the search to certain elements of a field after a split.

0 Karma

Explorer

I'm not sure what am I missing.. Similar to csharp_splunk's method. I can't get it to work properly.

My records usually either starts with a 0(0;1;2;3) or 2(2;3;4;5) etc.

So after splitting, when I tried to list them out using stats count classifications. They only showed 0 and 2.

Is it normal? I can't seem to search for values either.

0 Karma

Splunk Employee
Splunk Employee

Easy.

<whatever search> | eval splitted=split(classifications, ";") | search splitted=<value>

Substitute field names as you see fit.

Explorer

I'm sorry, I lost you there. By left-hand side inspector, do you mean the search terms?

0 Karma

Motivator

the left hand side inspector i suppose is the side panel where all interesting and extracted fields show up.

0 Karma

Splunk Employee
Splunk Employee

I'd use the left-hand side inspector to show the values of splitted in results, to get a better idea the behavior you're getting.

0 Karma

Explorer

Hi. Thanks for your prompt reply!
I have tried to replace the with 1 but it does not return any results. Is there anything I'm missing? I am assuming it's just 1 and not "1" or <1> for the values at the moment!

0 Karma