replace space in multi-value field with comma

trkalva · ‎07-20-2013

Hi.

i have field input_source_file and I need to make it a comma separated field so that I can group by that and source and get a count, i followed the thread "http://splunk-base.splunk.com/answers/79030/replace-space-in-multi-value-filed-with-comma" but not able to get the result.

data in input_source_file is : aaaa bbbb

desired: aaaa,bbbb

My query is:

sourcetype="mslogs" ("MPSVCCMN_10081" OR "DBG_21430") earliest="12/5/2012:16:08:00" latest="12/5/2013:16:16:00" | rex field=_raw "Mapping service is running [(?(.+))]sdep" | transaction source|search mapping_name=xxxx| rex mode=sed field=input_source_file "s/ /,/g" | stats count(source) by mapping_name,input_source_file

sample event:

2012-12-05 20:19:17 INFO: [MPSVCCMN_10081] Mapping service is running [xxxx] deployed in [yyyy]

2012-12-05 20:19:17 INFO: READER_1_1_1, DBG_21430, Reading data from input source file [aaaa]

2012-12-05 20:19:17 INFO: READER_1_2_1, DBG_21430, Reading data from input source file [bbbb]

please advice

lguinn2 · ‎07-20-2013

Simply replacing the spaces with commas does not create a multi-valued field. So the rex command may have worked, but the rest of your search needs to be fixed. Try this

sourcetype="mslogs" ("MPSVCCMN_10081" OR "DBG_21430") earliest="12/5/2012:16:08:00" latest="12/5/2013:16:16:00" 
| rex field=_raw "Mapping service is running [(?<mappingname>(.+))]sdep" 
| transaction source
| search mapping_name=xxxx
| rex mode=sed field=input_source_file "s/ /,/g" 
| makemv delim="," input_source_file
| stats count by mapping_name, input_source_file

Also, note that you are not counting by source, you are only counting events that have a field named source, which is all events. So I removed that part of the stats command.

replace space in multi-value field with comma

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor