Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

replace multivalue field values

mariobisio
Explorer
‎11-07-2020 06:54 AM

Hi guys,

I'm trying to replace values in an irregular multivalue field.

I don't want to use mvexpand because I need the field remains multivalue.

Here some examples of my multivalues fields

#1

115000240259839935-619677868589516300
1003000210260195023-294635473830872390
1003000210260241553-580541817408914764
531000140235102831-490142552617583496
115000240260262212-692365156372645389
 
#2
448000250026778748-44531981890881098
1286000030219284359-851572649149989069
 
I told irregular because the multivalue field could be compose by 1 or n values.
 
My goal is to keep only the numerical part before the "-"
for example:
the #1 should became
 
115000240259839935
1003000210260195023
1003000210260241553
531000140235102831
115000240260262212
 
the #2 should become:
448000250026778748
1286000030219284359
 
Thanks in advance for your help
 
Regards
Mario
Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2020 04:01 AM 
| eval yourfield=mvmap(yourfield,mvindex(split(yourfield,"-"),0))

View solution in original post

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎11-08-2020 04:15 AM 
| makeresults 
| eval field1="115000240259839935-619677868589516300
1003000210260195023-294635473830872390
1003000210260241553-580541817408914764
531000140235102831-490142552617583496
115000240260262212-692365156372645389"
| eval field2="448000250026778748-44531981890881098
1286000030219284359-851572649149989069"
| rename COMMENT as "from here, the logic"
| rex max_match=0 field=field1  "(?<result1>(?m)^\d+)"
| rex max_match=0 field=field2  "(?<result2>(?m)^\d+)"

How about rex?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2020 04:01 AM 
| eval yourfield=mvmap(yourfield,mvindex(split(yourfield,"-"),0))
Reply
Solved! Jump to solution

mariobisio
Explorer
‎11-16-2020 12:39 AM

Hi ITWhisperer,

this i s exactly what I was looking for.

Thank you very much

Great Job

 

Regards

Mario

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...