equivalent of "cut -d"," -f1,3 in splunk

easedilctl · ‎05-08-2013

Hi,

I'm trying to extract the unique values for specific fields. You would use the following command in unix:

cut -d"," -f1 | sort -u

How would do it in splunk search bar?

Thanks!

Ayn · ‎05-08-2013

How about

... | makemv delim="," _raw | eval yourfield=mvindex(_raw,0)

Or if you prefer using regex,

... | rex "^(?<yourfield>[^,]+)"

Ayn · ‎05-09-2013

What difference would you be expecting? The raw events will still look the same - the difference would be that the field yourfield is created and should contain the data you want to extract.

easedilctl · ‎05-09-2013

Hi Ayn,

I'm sorry but I don't see the difference in results with or without these additional commands.

rgcurry · ‎05-08-2013

So you are wanting to extract the date and what appears to be some statistic (avg response/seek time?), right? Have you tried using Field Extractions? Check it out at http://docs.splunk.com/Documentation/Splunk/4.3.3/Knowledge/Addfieldsatsearchtime.

easedilctl · ‎05-08-2013

This is the sample data.
asmbkp20 [32; RAID 5; blade01-rac1; blade02-rac2; blade03-rac3],05/08/2013 11:18:52,APM00083400778,A,0.322061,0.322061

There are like 134+ fields there (not shown) and I'm only interested in field 1 and 4 (DELIMS=","). Upon extracting the fields 1 and 4, I'd like to create a bar chart showing values at different time of the day/week, etc.

hexx · ‎05-08-2013

Can you show us a sample event as well as the output you would like to see?

equivalent of "cut -d"," -f1,3 in splunk

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!