- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
replace space in multi-value field with comma
Hi.
i have field input_source_file and I need to make it a comma separated field so that I can group by that and source and get a count, i followed the thread "http://splunk-base.splunk.com/answers/79030/replace-space-in-multi-value-filed-with-comma" but not able to get the result.
data in input_source_file is : aaaa bbbb
desired: aaaa,bbbb
My query is:
sourcetype="mslogs" ("MPSVCCMN_10081" OR "DBG_21430") earliest="12/5/2012:16:08:00" latest="12/5/2013:16:16:00" | rex field=_raw "Mapping service is running [(?
sample event:
2012-12-05 20:19:17 INFO: [MPSVCCMN_10081] Mapping service is running [xxxx] deployed in [yyyy]
2012-12-05 20:19:17 INFO: READER_1_1_1, DBG_21430, Reading data from input source file [aaaa]
2012-12-05 20:19:17 INFO: READER_1_2_1, DBG_21430, Reading data from input source file [bbbb]
please advice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Simply replacing the spaces with commas does not create a multi-valued field. So the rex command may have worked, but the rest of your search needs to be fixed. Try this
sourcetype="mslogs" ("MPSVCCMN_10081" OR "DBG_21430") earliest="12/5/2012:16:08:00" latest="12/5/2013:16:16:00"
| rex field=_raw "Mapping service is running [(?<mappingname>(.+))]sdep"
| transaction source
| search mapping_name=xxxx
| rex mode=sed field=input_source_file "s/ /,/g"
| makemv delim="," input_source_file
| stats count by mapping_name, input_source_file
Also, note that you are not counting by source, you are only counting events that have a field named source, which is all events. So I removed that part of the stats command.
