Splunk Search

replace space in multi-value field with comma

trkalva
Engager

Hi.

i have field input_source_file and I need to make it a comma separated field so that I can group by that and source and get a count, i followed the thread "http://splunk-base.splunk.com/answers/79030/replace-space-in-multi-value-filed-with-comma" but not able to get the result.

data in input_source_file is : aaaa bbbb

desired: aaaa,bbbb

My query is:

sourcetype="mslogs" ("MPSVCCMN_10081" OR "DBG_21430") earliest="12/5/2012:16:08:00" latest="12/5/2013:16:16:00" | rex field=_raw "Mapping service is running [(?(.+))]sdep" | transaction source|search mapping_name=xxxx| rex mode=sed field=input_source_file "s/ /,/g" | stats count(source) by mapping_name,input_source_file

sample event:

2012-12-05 20:19:17 INFO: [MPSVCCMN_10081] Mapping service is running [xxxx] deployed in [yyyy]

2012-12-05 20:19:17 INFO: READER_1_1_1, DBG_21430, Reading data from input source file [aaaa]

2012-12-05 20:19:17 INFO: READER_1_2_1, DBG_21430, Reading data from input source file [bbbb]

please advice

0 Karma

lguinn2
Legend

Simply replacing the spaces with commas does not create a multi-valued field. So the rex command may have worked, but the rest of your search needs to be fixed. Try this

sourcetype="mslogs" ("MPSVCCMN_10081" OR "DBG_21430") earliest="12/5/2012:16:08:00" latest="12/5/2013:16:16:00" 
| rex field=_raw "Mapping service is running [(?<mappingname>(.+))]sdep" 
| transaction source
| search mapping_name=xxxx
| rex mode=sed field=input_source_file "s/ /,/g" 
| makemv delim="," input_source_file
| stats count by mapping_name, input_source_file

Also, note that you are not counting by source, you are only counting events that have a field named source, which is all events. So I removed that part of the stats command.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...