Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

foreach with mvexpand to iterate over server fields and perform an expansion

greggz
Communicator
‎12-19-2017 06:47 AM

I have various fields like "Server 1" "Server 2" ... And I want to perform an expansion of those fields like so:

                       Server 1 | Server 2

                         false  | true
  Property               false  | false
                         true   | true

Example: So the field Property for the Server1 has multiple values ( false, false, true )

foreach Server* [ mvexpand <<FIELD>> ]

But this don't work. But single expansion works 

mvexpand Server1

This is my idea for iterating every Server field and performing an expansion but I am open to other resolutions aswell! Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-19-2017 07:32 AM

Give this workaround a try (runanywhere sample, replace everything before | eval temp="" with your search)

| gentimes start=-1 | eval Property="Test" | table Property | eval Server1=split("true false true"," ") | eval Server2=split("false false true"," ") 
| eval temp="" | foreach Server* [eval temp=if(temp="", '<<FIELD>>',mvzip(temp,'<<FIELD>>'))] | mvexpand temp | foreach Server* [eval "<<FIELD>>"=mvindex(split(temp,","),<<MATCHSTR>>-1)] | fields - temp

Updated - on that worked

| gentimes start=-1 | eval Property="Test" | table Property | eval UF1=split("true false true"," ") | eval UF2=split("false false true"," ") 
  | eval temp="" | foreach UF* [eval temp=if(temp="", '<<FIELD>>',mvzip(temp,'<<FIELD>>'))] | mvexpand temp | eval sno=0| foreach UF* [eval "<<FIELD>>"=mvindex(split(temp,","),sno) | eval sno=sno+1] | fields - temp

Explanation:

| eval temp="" | foreach UF* [eval temp=if(temp="", '<<FIELD>>',mvzip(temp,'<<FIELD>>'))]

Creating a new field temp, which will be combined multivalued field for each of UF field values. 

| eval sno=0| foreach UF* [eval "<<FIELD>>"=mvindex(split(temp,","),sno) | eval sno=sno+1]

For each UF* field, I'm overwriting the current value (which can be a multivalued field, to single value from expanded temp values. The field sno is used to find specific values within temp field (temp field is comma separate combined values of UF* fields).

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-19-2017 07:32 AM

Give this workaround a try (runanywhere sample, replace everything before | eval temp="" with your search)

| gentimes start=-1 | eval Property="Test" | table Property | eval Server1=split("true false true"," ") | eval Server2=split("false false true"," ") 
| eval temp="" | foreach Server* [eval temp=if(temp="", '<<FIELD>>',mvzip(temp,'<<FIELD>>'))] | mvexpand temp | foreach Server* [eval "<<FIELD>>"=mvindex(split(temp,","),<<MATCHSTR>>-1)] | fields - temp

Updated - on that worked

| gentimes start=-1 | eval Property="Test" | table Property | eval UF1=split("true false true"," ") | eval UF2=split("false false true"," ") 
  | eval temp="" | foreach UF* [eval temp=if(temp="", '<<FIELD>>',mvzip(temp,'<<FIELD>>'))] | mvexpand temp | eval sno=0| foreach UF* [eval "<<FIELD>>"=mvindex(split(temp,","),sno) | eval sno=sno+1] | fields - temp

Explanation:

| eval temp="" | foreach UF* [eval temp=if(temp="", '<<FIELD>>',mvzip(temp,'<<FIELD>>'))]

Creating a new field temp, which will be combined multivalued field for each of UF field values. 

| eval sno=0| foreach UF* [eval "<<FIELD>>"=mvindex(split(temp,","),sno) | eval sno=sno+1]

For each UF* field, I'm overwriting the current value (which can be a multivalued field, to single value from expanded temp values. The field sno is used to find specific values within temp field (temp field is comma separate combined values of UF* fields).

Reply
Solved! Jump to solution

greggz
Communicator
‎12-19-2017 07:55 AM

Not working for me. It just sets my fields all blank..

0 Karma
Reply
Solved! Jump to solution

greggz
Communicator
‎12-19-2017 07:58 AM

Does "Split" make the value be an array ? Cause in my sample I think they're represented as an array

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-19-2017 08:21 AM

Just run this and see if the format matches your data. Yes, it's assuming that both Server1 and Server2 (or any other servers) are multivalued field (kind of arrays in Splunk).

| gentimes start=-1 | eval Property="Test" | table Property | eval Server1=split("true false true"," ") | eval Server2=split("false false true"," ")
0 Karma
Reply
Solved! Jump to solution

greggz
Communicator
‎12-19-2017 08:32 AM

Yes they seem similar. The only difference is that my server names come like "Server-1" "Server-2"

0 Karma
Reply
Solved! Jump to solution

greggz
Communicator
‎12-19-2017 08:36 AM

Oh and another difference is that my values also come as a single value sometimes. So it's a mix of arrays or a single value ( which I don't need to expand anymore ofc )

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-19-2017 08:49 AM

Does my full query works for you ?

0 Karma
Reply
Solved! Jump to solution

greggz
Communicator
‎12-19-2017 08:56 AM

Yep your sample works fine.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-19-2017 09:04 AM

Well, without seeing your current data, it'd be difficult to troubleshoot what causing it not to work. Can you provide some screenshot of your sample data (showing field Property and Servers). Mask/Blackout any sensitive data/actual server names.

0 Karma
Reply
Solved! Jump to solution

greggz
Communicator
‎12-19-2017 09:20 AM

Something along these lines: https://ibb.co/hxfiLR

And if I try to foreach UF* [mvexpand <<FIELD>> ] this is the result:

https://ibb.co/cmiES6

My multi value fields are have tripled.. why ?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-19-2017 09:37 AM

Since you're expanding one field at a time, the total number of rows will become N*N (say you've 3 items, first field will yield 3 rows after mvexpand, with second field still multivalued field in all. Second mvexpand will again yield 3 rows for each row).

What do you get when you just add following to your search??Specially in field temp

your search with field Property UF_* fields 
| eval temp="" | foreach Server* [eval temp=if(temp="", '<<FIELD>>',mvzip(temp,'<<FIELD>>'))] | mvexpand temp
0 Karma
Reply
Solved! Jump to solution

greggz
Communicator
‎12-19-2017 09:44 AM

Oh jeez. So that's what's happening...

This is what happens in temp. The other UF* remain "Un-Expanded"

https://ibb.co/kgBXfR

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-19-2017 10:47 AM

Got the issue. I kinda assumed that all servernames are integer numbers. Try this 

| gentimes start=-1 | eval Property="Test" | table Property | eval UF1=split("true false true"," ") | eval UF2=split("false false true"," ") 
 | eval temp="" | foreach UF* [eval temp=if(temp="", '<<FIELD>>',mvzip(temp,'<<FIELD>>'))] | mvexpand temp | eval sno=0| foreach UF* [eval "<<FIELD>>"=mvindex(split(temp,","),sno) | eval sno=sno+1] | fields - temp
0 Karma
Reply
Solved! Jump to solution

greggz
Communicator
‎12-19-2017 11:33 AM

Yep it really works, but I've got no clue what's happening in there haha. Better go read the docs! Do you wish to post this as your answer or should I just accept the other one ? Thanks for your time man! Really apreciated it

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-19-2017 12:54 PM

I just added the working query to main answer.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-19-2017 07:13 AM

What should be the final output after expansion? (based on your sample data in question)

0 Karma
Reply
Solved! Jump to solution

greggz
Communicator
‎12-19-2017 07:15 AM

Hello! Something like this

              Server1    Server2 

Property      false        true
Property      false       false
Property      true        true
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-19-2017 07:24 AM

And the field names are dynamic or static?

0 Karma
Reply
Solved! Jump to solution

greggz
Communicator
‎12-19-2017 07:29 AM

They migth change yes. Hence the "Server*". The Property field name is the same always

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...