Hello,
Is there a way to split out the unique values of a field into separate fields that are returned after a search?
For example, my search returns the following syslog messages
Login Success from 1.1.1.1
Login Failed from 2.2.2.2
Login Failed from 1.1.1.1
Splunk has extracted the following field "field 1" which contains the "Success" and "Failed" string values
Is there a way (preferably eval command) to extract these values into there own unique fields, i.e field2=Failed, field3=Success
This is so I can use a table command like the following
| table ip, field1, field2, field3
Thank you
Hey @alex387, just following up to see if you got the answer you need.
I agree with @adonio about this request not making a lot of sense. However, here's one way to do it.
... | eval field2 = if(field1=="Success", field1, NULL), field3 = if(field1=="Failed", field1, NULL)
There's other ways to do this, but here's one possibility for you --
Based on your sample data, it seems you would know the possible values ahead of time. If that's the case, you could use an eval to assign the value to a field you want.
... | eval field2=if(field1 == "Failed", field1, "") | eval field3=if(field1 == "Success", field1, "") | table ip field2 field3
This would give you the following, given the data you provided.
ip field2 field3
1.1.1.1 Success
2.2.2.2 Failed
1.1.1.1 Failed
why would you want that?
the entire idea is to be able to put different values in fields so you can perform functions and statistics on them
a single value to a field is almost meaningless ...
you can always do your query with table, but i think you probably have a question regarding your data ...
think about this / those question/s articulate them, and write the query that will answer it.
also, i recommend to read at docs.splunk.com regarding fields, extractions, and data on-boarding