Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

split 2 multivalue fields concurrently/ split 1 multivalues row into multiple row

yuming1127
Path Finder
‎06-23-2021 01:24 AM

Hello,

Currently encounter 1 issue which unable to split 2 multivalues fields concurrently.

my table:

Productcolordescription1description2
phonebluelocation : loc_a
date: date_a
serial_no: serial_a		location : loc_a
date: date_q

phoneyellowlocation : loc_d
date: date_e
serial_no: serial_f		location : loc_x
date: date_y
serial_no: serial_z

 

desired output:

Productcolordescription1description2
phonebluelocation : loc_a

location : loc_a


phonebluedate:date_adate: date_q
phoneblueserial_no: serial_a 
phoneyellowlocation : loc_dlocation : loc_x
phoneyellowdate: date_edate: date_y
phoneyellowserial_no: serial_fserial_no: serial_z

 

im able to find a function called  mvexpand but sadly it cannot split 2 field.

Regards,

Yu Ming

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-23-2021 02:04 AM 
| makeresults 
| eval _raw="Product,color,description1,description2
phone,blue,location : loc_a|date: date_a|serial_no: serial_a,location : loc_a|date: date_q
phone,yellow,location : loc_d|date: date_e|serial_no: serial_f,location : loc_x|date: date_y|serial_no: serial_z
phone,green,location : loc_p|date: date_q,location : loc_g|date: date_h|serial_no: serial_i"
| multikv forceheader=1
| eval description1=split(description1,"|")
| eval description2=split(description2,"|")
| fields - _* linecount



| eval range=mvrange(0,max(mvcount(description1),mvcount(description2)))
| mvexpand range
| eval description1=mvindex(description1,range)
| eval description2=mvindex(description2,range)

View solution in original post

Reply
Solved! Jump to solution

yuming1127
Path Finder
‎07-11-2021 08:34 PM

@ITWhisperer  , i discovered the solution not work correctly for below case.

Productcolordescription1description2
phonebluelocation : loc_a
date: date_a
serial_no: serial_a
extra_info_a:info_a
extra_info_b:info_b		location : loc_a
date: date_q
extra_info_a: info_c
extra_info_b: info_d

phoneyellowlocation : loc_d
date: date_e
serial_no: serial_f		location : loc_x
date: date_y
serial_no: serial_z

 

 

Current output: where there are mismatch of field

Productcolordescription1description2
phonebluelocation : loc_a

location : loc_a


phonebluedate:date_adate: date_q
phoneblueserial_no: serial_aextra_info_a: info_c
phone blueextra_info_a:info_aextra_info_b: info_d
phoneblueextra_info_b:info_b 
phoneyellowlocation : loc_dlocation : loc_x
phoneyellowdate: date_edate: date_y
phoneyellowserial_no: serial_fserial_no: serial_z

 

Cannot figure out how to do that, would appreciate if there a clear procedure/solution i can do, thanks

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2021 01:27 AM

It would have helped if you had made it clearer that the "keys" in the multi-value field had to align!

Try this

| makeresults 
| eval _raw="Product,color,description1,description2
phone,blue,location: loc_a|date: date_a|serial_no: serial_a|extra_info_a: info_a|extra_info_b: info_b,location: loc_a|date: date_q|extra_info_a: info_c|extra_info_b: info_d
phone,yellow,location: loc_d|date: date_e|serial_no: serial_f,location: loc_x|date: date_y|serial_no: serial_z
phone,green,location: loc_p|date: date_q,location: loc_g|date: date_h|serial_no: serial_i"
| multikv forceheader=1
| eval description1=split(description1,"|")
| eval description2=split(description2,"|")
| fields - _* linecount



| eval keys1=mvmap(description1,mvindex(split(description1,":"),0))
| eval keys2=mvmap(description2,mvindex(split(description2,":"),0))
| eval keys=mvdedup(mvappend(keys1,keys2))
| eval range=mvrange(0,mvcount(keys))
| mvexpand range
| eval description1=mvindex(description1,mvfind(keys1,mvindex(keys,range)))
| eval description2=mvindex(description2,mvfind(keys2,mvindex(keys,range)))
| table Product color description1 description2
0 Karma
Reply
Solved! Jump to solution

yuming1127
Path Finder
‎07-12-2021 02:01 AM

Its worked, great that learned mvmap and mvfind today, thanks alot

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-23-2021 02:04 AM 
| makeresults 
| eval _raw="Product,color,description1,description2
phone,blue,location : loc_a|date: date_a|serial_no: serial_a,location : loc_a|date: date_q
phone,yellow,location : loc_d|date: date_e|serial_no: serial_f,location : loc_x|date: date_y|serial_no: serial_z
phone,green,location : loc_p|date: date_q,location : loc_g|date: date_h|serial_no: serial_i"
| multikv forceheader=1
| eval description1=split(description1,"|")
| eval description2=split(description2,"|")
| fields - _* linecount



| eval range=mvrange(0,max(mvcount(description1),mvcount(description2)))
| mvexpand range
| eval description1=mvindex(description1,range)
| eval description2=mvindex(description2,range)
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...