I was wondering if there's any possible way to split up a multi-valued field using Splunk.
For example. I have field called "classifications" and it looks like this.
classifications = 1;2;3;4;5;6
Is there any way to split it so that when I search "classifications=2" it would understand and show accordingly?
Thanks in advance!
I run into this problem and have a rough work around. I have to create an mv field using values for a paticular reason, and then match a substring of that value to another field.
...|stats values(field) as fieldname by sourcetype | nomv fieldname |rex mode=sed field=fieldname "s/ /,/g" |rex mode=sed field=fieldname "s/^/,/" |rex mode=sed field=fieldname "s/$/,/" |eval match=if(isnotnull(match(fieldname,",".matchfield.","),1,0)
I realize this isn't EXACTLY what you need to do, but it might help start you off. I did a nomv to get it into one row and then replaced my spaces with commas, however it looks like you're already ; delimited so you're a few steps ahead of me. You might be able to get by with just doing something along the lines of
...|eval match=if(isnotnull(match(fieldname,";".2.";"),1,0) |search match=1
I am not sure if this is good solution for you, but I had a similar situation where I needed to get the splitted values from multivalued fields.
Basicly the way to split the multivalued field was the same as the one posted by csharp_splunk.
This was how I tested and is messy, but it worked.
* | head 1 | eval classifications = "1;2;3;4;5;6" | makemv delim=";" classifications | top classifications | fields classifications | search classifications=2
This returns 2 only.
* | head 1 | eval classifications = "1;2;3;4;5;6"
is just to create dummy fields...
I have a field that has: value1,value2,value3. I was using split: split_value=split(field, ",")
Afterwards, however, I was not able to search on just one of the items. My search string:
| eval values=split(field, ",") | search values=foo**
This search would show all of the results of values, instead of just foo.
Using the makemv delim method, it works. Weird ...
I'm not sure what am I missing.. Similar to csharp_splunk's method. I can't get it to work properly.
My records usually either starts with a 0(0;1;2;3) or 2(2;3;4;5) etc.
So after splitting, when I tried to list them out using stats count classifications. They only showed 0 and 2.
Is it normal? I can't seem to search for values either.
Hi. Thanks for your prompt reply!
I have tried to replace the