Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPL: Use regex replacement string multiple times

_Tom
Explorer
‎10-27-2021 01:57 AM

Hello *,

I am looking for an SPL that reads the first part of a string via regex and replaces all occurrences of a certain character with this first part. This is to be used for summary indexing. 

Example:

 

1;A__B
2;B__C__D__A__E
3;G

 

is to be transformed into (each line will become a value in a multivalue field):

 

1;A
1;B
2;B
2;C
2;D
2;A
2;E
3;G

 

Neither replace nor rex seem to be able to afford multiple replacements of this kind. I also tried foreach with some field extractions but failed. Before I write a custom search command for it, I hope for your ideas to solve the problem with some clever standard SPL.  

Thank you in advance for your thoughts!

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2021 02:11 AM 
| makeresults
| eval _raw="1;A__B
2;B__C__D__A__E
3;G"
| multikv noheader=t
| table _raw




| eval first=mvindex(split(_raw,";"),0)
| eval second=split(mvindex(split(_raw,";"),1),"_")
| mvexpand second
| where second!=""
| eval _raw=first.";".second

View solution in original post

Reply
Solved! Jump to solution

_Tom
Explorer
‎10-28-2021 09:03 AM

 

 

Hello @ITWhisperer,

thank you very much for the quick answer, which helped a lot. We need to do the transformation for multiple fields within a complex query. Therefore, the solution had to be adapted somewhat: 

| makeresults 
| eval fieldname1="1;A__B
2;B__C__D__A__E
3;G"
| eval other_fields_1="other_content"

| eval tmp_raw = _raw
| eval _raw=fieldname1 ``` temporarily overwriting _raw with the field value ```
| multikv noheader=t
| table _raw *other_fields* ``` to keep the fields which we still need ```
| eval first=mvindex(split(_raw,";"),0)
| eval second=split(mvindex(split(_raw,";"),1),"__")
| mvexpand second
| eval _raw=first.";".second
| rename _raw as fieldname1
| fields  - first,second
| mvcombine delim="\n" fieldname1 ``` to get a multivalue field ```
| eval _raw = tmp_raw
| table *

Is there a better solution than overwriting _raw with the field value? I also was surprised that creating a multikv.conf file seems not to be required, as it autodetects semicolon as the separator and ignores the underlines.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-29-2021 04:31 AM

You could try rename _raw as tmp_raw and fieldname1 as _raw rather the two assignments but, this is as good a way as any to get multikv to work.

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2021 02:11 AM 
| makeresults
| eval _raw="1;A__B
2;B__C__D__A__E
3;G"
| multikv noheader=t
| table _raw




| eval first=mvindex(split(_raw,";"),0)
| eval second=split(mvindex(split(_raw,";"),1),"_")
| mvexpand second
| where second!=""
| eval _raw=first.";".second
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...