Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splitting raw field after transaction

moinyuso96
Path Finder
‎06-16-2021 08:39 PM

I used transaction to combine 2 rows of raw fields:

raw

4015_ABCD, Start, 8/11/2020 5:37:10 PM, 12345

4015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345

4015_ABCD, Start, 8/12/2020 10:23:34 AM, 12345

1113_EFGH, Start, 8/12/2020 12:00:00 PM, 67890

1113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890

 

Is there a simple way to split the raw field into "raw1" and "raw2" as below (preferably without using rex)?

rawraw1raw2

4015_ABCD, Start, 8/11/2020 5:37:10 PM, 12345

4015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345

4015_ABCD, Start, 8/11/2020 5:37:10 PM, 123454015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345
4015_ABCD, Start, 8/12/2020 10:23:34 AM, 123454015_ABCD, Start, 8/12/2020 10:23:34 AM, 12345 

1113_EFGH, Start, 8/12/2020 12:00:00 PM, 67890

1113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890

1113_EFGH, Start, 8/12/2020 12:00:00 PM, 678901113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-16-2021 08:45 PM

Using mvindex on the multivalue raw field

| eval raw1=mvindex(raw,0), raw2=mvindex(raw,1)

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-16-2021 08:45 PM

Using mvindex on the multivalue raw field

| eval raw1=mvindex(raw,0), raw2=mvindex(raw,1)
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-16-2021 08:50 PM

Also just FYI - as a generic solution to splitting multivalue fields where you don't always know you will have 2 fields, you can do this sort of thing

| foreach 0 1 2 3 4 5 [ eval raw<<FIELD>>=mvindex(raw,<<FIELD>>) ]

which would split up to 6 values of a multi-value field into raw0, raw1, raw2 etc.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...