Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split a field into multiple fields?

Minarai
Explorer
‎03-29-2023 08:58 PM

Hi.

Lets say there are fields named "raw".

The values are like this.

http-header1=value1|http-header2=value2..

Number of HTTP Headers is 1 to 4.

ex)

METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg

I'd like to split this field into multiple fields like this.

field | value
----------------------+--------------
raw_http_header1 | value1
raw_http_header2 | value2

...

ex)

field | value

----------------------+--------------

raw_METHOD | POST

raw_User_Agent | Mozilla

raw_HTTP_CONTENT | img/jpeg

 

...

Notice field name cannot contain "-".

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-01-2023 07:03 AM

raw_User_Agent is null for eventID 2

This is how tables work! You have rows and columns. Where there is a value for the column it is shown for that row. The cell (row x column) doesn't simply disappear if there is not value to be shown, it is just blank.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2023 12:45 AM 
| makeresults
| fields - _time
| eval raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| eval raw=split(raw,"|")
| mvexpand raw
| rex field=raw "(?<field>[^=]+)=(?<value>.*)"
| eval field="raw_".replace(field,"-","_")
Reply
Solved! Jump to solution

Minarai
Explorer
‎03-30-2023 07:15 AM

Thanks a lot!

Sorry to bother you, but is there any way without using mvexpand?

When you use mvexpand, events are created separately,right?

I want add fields to oridinal event.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2023 07:20 AM 
| makeresults
| fields - _time
| eval raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| rex field=raw max_match=0 "(?<field>[^=]+)=(?<value>[^\|]+)\|?"
| eval field=mvmap(field,"raw_".replace(field,"-","_"))
Reply
Solved! Jump to solution

Minarai
Explorer
‎04-01-2023 06:54 AM

Thank you for reply!

What I showed you as example was not good.

 

There are events like this.

index=index_main
| table eventID,raw
eventIDraw
1METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg
2METHOD=GET|Referer=http://192.168.0.1
3METHOD=POST|X-Forwarded-For=10.0.0.1|User-Agent=Firefox


The wanted result is like this.
I want to create new field which name is related http header.

eventID2 does not have User-Agent Header, so you do not add raw_User_Agent field.

...
| table eventID,raw*
eventIDrawraw_METHODraw_User_Agentraw_HTTP_CONTENTraw_Refererraw_X_Forwarded_For
1METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpegPOSTMozillaimg/jpeg  
2METHOD=GET|Referer=http://192.168.0.1GET  http://192.168.0.1 
3METHOD=POST|X-Forwarded-For=10.0.0.1|User-Agent=FirefoxPOSTFirefox  10.0.0.1
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-01-2023 07:03 AM

raw_User_Agent is null for eventID 2

This is how tables work! You have rows and columns. Where there is a value for the column it is shown for that row. The cell (row x column) doesn't simply disappear if there is not value to be shown, it is just blank.

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-29-2023 09:07 PM

Did you want something like this

| makeresults
| fields - _time
| eval _raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| extract
| fields - _kv _raw
| transpose 0 column_name="field"
| eval field="raw_".field
| rename "row 1" as value

which from the "extract" will create the field/value pairs and make two columns field and value

or did you want a single piece of text with the value separated with a pipe symbol

 

Reply
Solved! Jump to solution

Minarai
Explorer
‎03-29-2023 10:43 PM

Thanks for your reply.

What you showed was really good,

but I want add these fields to search result by using eval command or something.

ex

I want add "rawdata_method" field whose value is "POST".

 

Regards

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-29-2023 09:10 PM

i.e. this variant

| makeresults
| fields - _time
| eval _raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| rex field=_raw max_match=0 "(?<field>[^|]*)\|?"
| mvexpand field
| eval field="raw_".replace(field, "=", "|")
| fields - _raw
0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...