I have a field called "OrgCode" with data like "L6" "L9" "G6" "K6" "K4", which is departments L G and K. I need to get a new field for each department.
Assuming the department code is always the first character of OrgCode, one of these should do the job.
... | rex field=OrgCode "(?<dept>\w)" | ... ... | eval dept = substr(OrgCode, 1, 1) | ...
substr method returns a new field with the first character of the OrgCode field. What I need is a field for DeptL where only the OrgCodes that start with L are in it. Then a DeptK field with only the OrgCodes that start with K are in it, and so on. This seems logical to me but doesn't work:
eval DeptA=[search OrgCode=A*]