topic Return single field values in Splunk Search

Return single field values

aleem — Tue, 06 Mar 2012 16:26:59 GMT

Hi,
I am importing custom CSV files. I have a field value named "color". I just want to be able to get Splunk to return the value of color. The example below would return "Orange"

Any ideas what the searh might be?

06/03/2012 09:30:00,DX2-MARTINI-GROC-9,80,COM-LIVE / COM-LIVE2 / SECURE-SSL-LIVE,6509-MK2:ACE:1:MK-ACE-16509-MK1:ACE:1:MK-ACE-1,Down,Down,MARTINI-GROCERY-LIVE,,,,Orange,2,9

Re: Return single field values

lguinn2 — Tue, 06 Mar 2012 16:36:29 GMT

If the sourcetype is "csv", then Splunk will extract the fields and name them based on the first line (which is assumed to be a header). So if the first line defined this field with the name Color, you could do this

| table Color

Would return only the color field for each search result.

Re: Return single field values

aleem — Tue, 06 Mar 2012 17:12:41 GMT

Excellent, much appreciated