All Apps and Add-ons

equivalent of "cut -d"," -f1,3 in splunk

easedilctl
New Member

Hi,

I'm trying to extract the unique values for specific fields. You would use the following command in unix:

cut -d"," -f1 | sort -u

How would do it in splunk search bar?

Thanks!

Tags (2)
0 Karma

Ayn
Legend

How about

... | makemv delim="," _raw | eval yourfield=mvindex(_raw,0)

Or if you prefer using regex,

... | rex "^(?<yourfield>[^,]+)"

Ayn
Legend

What difference would you be expecting? The raw events will still look the same - the difference would be that the field yourfield is created and should contain the data you want to extract.

0 Karma

easedilctl
New Member

Hi Ayn,

I'm sorry but I don't see the difference in results with or without these additional commands.

0 Karma

rgcurry
Contributor

So you are wanting to extract the date and what appears to be some statistic (avg response/seek time?), right? Have you tried using Field Extractions? Check it out at http://docs.splunk.com/Documentation/Splunk/4.3.3/Knowledge/Addfieldsatsearchtime.

0 Karma

easedilctl
New Member

This is the sample data.
asmbkp20 [32; RAID 5; blade01-rac1; blade02-rac2; blade03-rac3],05/08/2013 11:18:52,APM00083400778,A,0.322061,0.322061

There are like 134+ fields there (not shown) and I'm only interested in field 1 and 4 (DELIMS=","). Upon extracting the fields 1 and 4, I'd like to create a bar chart showing values at different time of the day/week, etc.

0 Karma

hexx
Splunk Employee
Splunk Employee

Can you show us a sample event as well as the output you would like to see?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...