Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

replace space in multi-value field with comma

trkalva
Engager
‎07-20-2013 10:32 AM

Hi.

i have field input_source_file and I need to make it a comma separated field so that I can group by that and source and get a count, i followed the thread "http://splunk-base.splunk.com/answers/79030/replace-space-in-multi-value-filed-with-comma" but not able to get the result.

data in input_source_file is : aaaa bbbb

desired: aaaa,bbbb

My query is:

sourcetype="mslogs" ("MPSVCCMN_10081" OR "DBG_21430") earliest="12/5/2012:16:08:00" latest="12/5/2013:16:16:00" | rex field=_raw "Mapping service is running [(?(.+))]sdep" | transaction source|search mapping_name=xxxx| rex mode=sed field=input_source_file "s/ /,/g" | stats count(source) by mapping_name,input_source_file

sample event:

2012-12-05 20:19:17 INFO: [MPSVCCMN_10081] Mapping service is running [xxxx] deployed in [yyyy]

2012-12-05 20:19:17 INFO: READER_1_1_1, DBG_21430, Reading data from input source file [aaaa]

2012-12-05 20:19:17 INFO: READER_1_2_1, DBG_21430, Reading data from input source file [bbbb]

please advice

0 Karma
Reply

lguinn2
Legend
‎07-20-2013 05:39 PM

Simply replacing the spaces with commas does not create a multi-valued field. So the rex command may have worked, but the rest of your search needs to be fixed. Try this

sourcetype="mslogs" ("MPSVCCMN_10081" OR "DBG_21430") earliest="12/5/2012:16:08:00" latest="12/5/2013:16:16:00" 
| rex field=_raw "Mapping service is running [(?<mappingname>(.+))]sdep" 
| transaction source
| search mapping_name=xxxx
| rex mode=sed field=input_source_file "s/ /,/g" 
| makemv delim="," input_source_file
| stats count by mapping_name, input_source_file

Also, note that you are not counting by source, you are only counting events that have a field named source, which is all events. So I removed that part of the stats command.

Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...