topic Re: How to use split in search? in Getting Data In

How to use split in search?

sbimizry — Fri, 02 Aug 2019 10:04:50 GMT

Hi, how to me use a command split or other command that make two field from one?
Example: Im get a token with text "1** or 2**", I must use this in search | where field=$token$ that get all event with 100-299 number, or using | eval field2=split($token$," or ") and next step using a mvindex(field2, 0), but this not work. And, how to make an exception if in token is "*".

Thanks.

Re: How to use split in search?

guarisma — Fri, 02 Aug 2019 14:45:53 GMT

Can you post a sample of the event and what is currently being extracted? it's hard to understand what you are trying to do.

So a Field called token is extracted and it's value could be a String like "121 or 265"?
You could do an extraction on the token field:

... | rex field=token "(?<token1>\d{3})\sor\s(?<token2>\d{3})"

This will create 2 new fields, token1 and token2

Re: How to use split in search?

FrankVl — Mon, 05 Aug 2019 10:37:53 GMT

From what I understand (but I agree it is a bit unclear), he has a dashboard with a text input, resulting in a token $token$ . That text input can contain a search string like "1** or 2**" which he would like to apply to a certain field to filter the results.

You might want to take a look at this (rather old) question and answer about manipulating a token: https://answers.splunk.com/answers/127021/manipulate-a-token-string-in-a-form.html

Assuming that approach still works, I think that provides all the ingredients needed to solve your challenge as well.