Advent of code in SPL - 2025 day 6

Day 6 is here.

As always we save the challenge data as a csv file, add a column header (just one column called "math"), and upload it to splunk:

Part 1

Cephalopod math is organised in columns, which is going against of the grain in splunk. So a good first step would be to transpose it. Before we can do that, we need to give a name to each field:

Then we can use the transpose command:

Then we need to split each field on spaces:

Note: sadly split does not take a regular expression for the pattern to split on, if it did I would have used " +". In our challenge data the amount of white space varies. Thankfully split does not create null or empty-string values (or does it?) so the above just works. You can convince yourself (or can you?) with:

Now we need to use mvexpand to have a stream of math problems, but before we do that we need to marry up the Nth element of field1 with the Nth element of field2 with the Nth element of field3, etc. This is what mvzip is for:

Except that doesn't work well at all, annoyingly, because splunk lied. Going back to our test:

So Splunk was evil in our previous test! It did create empty string entries in the multivalue but wasn't showing them...

Not to worry, that means we just need to use a regular expression before the split:

This looks much better! Now for mvexpand:

It is convoluted, but we can now separate the data:

And then do the calculations (not trying to be elegant):

Easy!

Part 2

This should be very similar in the approach, but instead of splitting on white space, we can just split character by character:

Except we can see an alignment problem. Look at field4. It's completely out of whack.

Looking at the challenge data, it turns out that the 4th line of my challenge data starts with 2 spaces:

Splunk took it upon itself to ignore this space, which served us in part 1 (otherwise we would have had alignment issues and would have had to add a second replace() to remove leading white space), but here it's a problem. So we need to download the data again, save it as csv, add a header as before, but now also double quotes around the whole 4th line, then upload it again to splunk:

Now our search looks much better:

Something weird happens when we add the table command:

We now have 2 events! It seems like a bug to me. Sometimes I've seen the special field _mkv_child appearing and causing issues like this, but here it's not clear to me what's happening. I can get rig of it by making sure transpose doesn't see any unexpected fields:

Now we need to break these up by paragraph. I guess we can mvjoin and then split them:

I guess it would be easier to parse if we put the operation first. So let's edit it a bit:

Now we can split the numbers up and the operation easier:

Let's implement a clever fillnull for the values that are not populated:

Now we can get the solution:

It's maybe not the most elegant, but we got there and it wasn't too difficult.