Archive
Highlighted

New field from search results

Explorer

Hi,

I have a field called "OrgCode" with data like "L6" "L9" "G6" "K6" "K4", which is departments L G and K. I need to get a new field for each department.

Thanks

Tags (1)
0 Karma
Highlighted

Re: New field from search results

SplunkTrust
SplunkTrust

Try this

your current search which include field OrgCode | eval Deparment=replace(OrgCode,"^([A-z]+)\d+","\1")
0 Karma
Highlighted

Re: New field from search results

SplunkTrust
SplunkTrust

Assuming the department code is always the first character of OrgCode, one of these should do the job.

... | rex field=OrgCode "(?<dept>\w)" | ...

... | eval dept = substr(OrgCode, 1, 1) | ...
---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: New field from search results

Explorer

The substr method returns a new field with the first character of the OrgCode field. What I need is a field for DeptL where only the OrgCodes that start with L are in it. Then a DeptK field with only the OrgCodes that start with K are in it, and so on. This seems logical to me but doesn't work:

 eval DeptA=[search OrgCode=A*]
0 Karma
Highlighted

Re: New field from search results

SplunkTrust
SplunkTrust

After the field Department/dept is created, you will be able to filter records for a single department.

0 Karma