Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

mvexpand multiple multi-value fields: How do I turn my three multi-value fields into tuples?

nathanh42
Explorer
‎06-02-2011 10:43 PM

I have a query that extracts useful info from a storage system report.

rex "quota list --verbose (?<fs>[A-Z0-9_]+) " | rex max_match=1000 "ViVol: (?<vivol>(?!user)[A-Za-z0-9]+)\nUsage\s+:\s+(?<usage>[0-9. A-Za-z]+)\n\s*Limit\s+:\s+(?<limit>[0-9A-Z. ]+)" | table fs, vivol, usage, limit

There is a single line at the start of the report with the filesystem which I extract as the "fs" field. Then there are several volume descriptions containing separate lines for the volume, usage and limit.

This query produces a single-value field for "fs" then three multi-value fields "vivol", "usage" and "limit". e.g.

   fs                       vivol                 usage                    limit
   FIRST_FS                 VOL_ABC               100                      300
                            VOL_XYZ               320                      800
                            VOL_123               50                       150

When I export this to Excel (using CSV) the multi-value fields are all within a single cell. I want them on separate rows. If I use mvexpand I get the unexpected behaviour that it will properly expand one field but leave the others unexpanded. If I expand all three fields they lose correlation so I get rows that are mixed-up.

   FIRST_FS                 VOL_123              320                       300

How do I turn my three multi-value fields into tuples? I want to keep them together so the first row in "vivol" matches the first rows in "usage" and "limit". Bear in mind there are many "fs" events (about 100 of them).

Labels (1)
Labels
Reply

djfang
Explorer
‎05-07-2015 09:45 AM

Just ran into a similar issue, glad I found your solution. Thanks!

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎03-16-2012 06:50 PM

I just had the same issue.

Create a single field with all the eventual fields you want, so you have a single MV, then use mvexpand to create the multiple entries, then do another parse on the (now single-) value to extract the three fields.

Reply

nathanh42
Explorer
‎06-02-2011 10:47 PM

Here's an example of the storage system report I'm starting with, if that helps.

Content-Transfer-Encoding: 7bit
Scheduled job console-context --evs 1 quota list --verbose FIRST_FS produced the following output:
Type            : Explicit
Target          : ViVol: VOL_ABC
Usage           : 100 GB
  Limit         : 500 GB (Hard)
Last modified   : 2010-12-19 04:56:50.834383000+00:00
Type            : Explicit
Target          : ViVol: VOL_123
Usage           : 609 GB
  Limit         : 3 TB (Hard)
Last modified   : 2010-12-21 04:04:23.757073000+00:00
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...