topic merge a string in a list relatively to another string in Splunk Search

merge a string in a list relatively to another string

amir_bnp — Fri, 06 Dec 2019 09:46:29 GMT

Hello everyone,

I want to add a string in a list which is in a field compared to another string which also is in another field.

I want to add the string "webrtc" in the list in the field Type where in the field Type_call there is "web"

I tried with the command eval(if(in)) but it didn't start because it replace the entire list in Type by "webrtc"

How can do that, please ?

Thank you

Re: merge a string in a list relatively to another string

to4kawa — Fri, 06 Dec 2019 12:55:27 GMT

| makeresults 
| eval _raw="Type_call,Type
sip,Audio#Video
sip#web,Audio#video"
| multikv forceheader=1
| foreach Type*
    [eval <<FIELD>> = split('<<FIELD>>',"#")]
| table Type_call Type
`comment("this is sample base data")`
| eval Type=if(mvfind(Type_call,"web") > 0, mvappend(Type,"webtrc"),Type)

Hi, try this.

Re: merge a string in a list relatively to another string

amir_bnp — Mon, 09 Dec 2019 08:30:23 GMT

Hello to4kawa,

Thank you for you answer.

How do you do that but without the makeresults and the sample of data and the foreach?

My data is contained as the table above and i have other string in addition to "Audio" and "Video".

I have a field type_call and type and I want to do what I explained above but without using a data sample but with the data contained in the fields as splunk does.

Thank you
Amir

Re: merge a string in a list relatively to another string

bowesmana — Mon, 09 Dec 2019 10:34:14 GMT

This is the relevant line that does the work

eval Type=if(mvfind(Type_call,"web") > 0, mvappend(Type,"webtrc"),Type)

The rest is setup. The mvfind is looking for the string 'web' in the Type_call and if found (>0) the it adds the webtrc field to the existing multivalue Type field

Re: merge a string in a list relatively to another string

amir_bnp — Mon, 09 Dec 2019 10:44:29 GMT

Hello @bowesmana ,

I already tried this but it didn't work.

In my row which contains "sip" and "web" in the field Type_call, I don't have the "webrtc" which is added in the "Type" fields.

Thanx
Amir

Re: merge a string in a list relatively to another string

to4kawa — Wed, 30 Sep 2020 03:20:23 GMT

Thank you @bowesmana , that's right.
so, hi @amir_bnp

| makeresults 
| eval _raw="Type_call,Type
sip,Audio#Video
sip#web,Audio#Video" 
| multikv forceheader=1 
| foreach "Type*" 
    [ eval <<FIELD>> = split('<<FIELD>>',"#")] 
| table Type_call Type

Have you checked this result first?

Type_call      Type
sip            Audio
               Video
----------------------------
sip            Audio
web            Video

From this result, webtrc is added when the query eval is executed.
But if this doesn't work, it seems that Type_call is not multivalue, unlike the example given.

what's your query?

Re: merge a string in a list relatively to another string

arjunpkishore5 — Mon, 09 Dec 2019 11:50:36 GMT

Try this.

| eval Type=if(match(Type_call,"web"), mvappend(Type, "webrtc"), Type)

Re: merge a string in a list relatively to another string

to4kawa — Mon, 09 Dec 2019 11:56:00 GMT

| makeresults 
| eval _raw="Type_call,Type
sip,Audio#Video
sip#web,Audio#Video" 
| multikv forceheader=1 
| foreach "Type*" 
    [ eval <<FIELD>> = split('<<FIELD>>',"#")] 
| table Type_call Type
| nomv Type_call
| eval Type=if(match(Type_call,"web"), mvappend(Type, "webrtc"), Type)

It works, thank you

Re: merge a string in a list relatively to another string

arjunpkishore5 — Mon, 09 Dec 2019 12:01:52 GMT

I hadn't noticed that you have a similar approach in yours. 🙂

Re: merge a string in a list relatively to another string

amir_bnp — Mon, 09 Dec 2019 12:49:37 GMT

hi @to4kawa ,

your request works for the small table that I gave as an example but how do I change the request for it to work on a table containing the same fields but with thousands of lines?

thank you and sorry if I did not understand at first.

Amir

Re: merge a string in a list relatively to another string

amir_bnp — Mon, 09 Dec 2019 13:00:21 GMT

it works thank you @to4kawa .

I used that :

...| table pole participant type_call_leg type | eval type=if(match(type_call_leg,"acano"), mvappend(type, "webrtc"), type)

and it works with the "match" and not "mvfind"

thank you

Re: merge a string in a list relatively to another string

amir_bnp — Mon, 09 Dec 2019 13:05:39 GMT

thanks to you @arjunpkishore5 also for your request it works with the match

Amir

Re: merge a string in a list relatively to another string

bowesmana — Tue, 10 Dec 2019 10:20:33 GMT

The use of match and nomv rather then mvfind, is an indicator that the field was not multivalue or was hitting some MV field limit. In principle mvfind should work as a general rule.

Re: merge a string in a list relatively to another string

amir_bnp — Tue, 10 Dec 2019 10:28:51 GMT

ok thanks for this clarification.

Amir