I know it's already a party. But I have to agree with @PickleRick that throwing out a random SPL snippet is not a good way to use volunteers' time. Here are four golden rules of asking an answerable question that I call four commandments:
- Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search (SPL that volunteers here do not have to look at).
- Illustrate the desired output from illustrated data.
- Explain the logic between illustrated data and desired output without SPL.
- If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
In this spirit, if I have to read your mind, I will start by reverse engineering what your data look like: Some your raw data contains text strings like "Duplicate Id's that needs to be displayed ::::::[6523409, 6529865]". Given such an event, the desired output is a multivalue field containing values 6523409 and6529865. Let us call this field "duplicate_ids". Something to this effect:
| _raw | duplicate_ids |
| blah, blah, blah Duplicate Id's that needs to be displayed ::::::[6523409, 6529865] - and more blahs | 6523409 6529865 |
Is this the use case? If yes, here is what I do
| rex "Duplicate Id's that needs to be displayed :*(?<duplicate_ids>\[[^\]]+\])"
| eval duplicate_ids = json_array_to_mv(duplicate_ids)
(The above requires Splunk 8.1 or later. But it is not the only way to do this.)
Here is an emulation for you to play with and compare with real data
| makeresults
| fields - _time
| eval _raw = "blah, blah, blah Duplicate Id's that needs to be displayed ::::::[6523409, 6529865] - and more blahs"
``` data emulation above ```
