Splunk Search

replace space in multi-value field with comma

trkalva
Engager

Hi.

i have field input_source_file and I need to make it a comma separated field so that I can group by that and source and get a count, i followed the thread "http://splunk-base.splunk.com/answers/79030/replace-space-in-multi-value-filed-with-comma" but not able to get the result.

data in input_source_file is : aaaa bbbb

desired: aaaa,bbbb

My query is:

sourcetype="mslogs" ("MPSVCCMN_10081" OR "DBG_21430") earliest="12/5/2012:16:08:00" latest="12/5/2013:16:16:00" | rex field=_raw "Mapping service is running [(?(.+))]sdep" | transaction source|search mapping_name=xxxx| rex mode=sed field=input_source_file "s/ /,/g" | stats count(source) by mapping_name,input_source_file

sample event:

2012-12-05 20:19:17 INFO: [MPSVCCMN_10081] Mapping service is running [xxxx] deployed in [yyyy]

2012-12-05 20:19:17 INFO: READER_1_1_1, DBG_21430, Reading data from input source file [aaaa]

2012-12-05 20:19:17 INFO: READER_1_2_1, DBG_21430, Reading data from input source file [bbbb]

please advice

0 Karma

lguinn2
Legend

Simply replacing the spaces with commas does not create a multi-valued field. So the rex command may have worked, but the rest of your search needs to be fixed. Try this

sourcetype="mslogs" ("MPSVCCMN_10081" OR "DBG_21430") earliest="12/5/2012:16:08:00" latest="12/5/2013:16:16:00" 
| rex field=_raw "Mapping service is running [(?<mappingname>(.+))]sdep" 
| transaction source
| search mapping_name=xxxx
| rex mode=sed field=input_source_file "s/ /,/g" 
| makemv delim="," input_source_file
| stats count by mapping_name, input_source_file

Also, note that you are not counting by source, you are only counting events that have a field named source, which is all events. So I removed that part of the stats command.

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...