Splunk Search

merge a string in a list relatively to another string

amir_bnp
Explorer

Hello everyone,

I want to add a string in a list which is in a field compared to another string which also is in another field.

alt text

I want to add the string "webrtc" in the list in the field Type where in the field Type_call there is "web"

I tried with the command eval(if(in)) but it didn't start because it replace the entire list in Type by "webrtc"

How can do that, please ?

Thank you

0 Karma
1 Solution

arjunpkishore5
Motivator

Try this.

| eval Type=if(match(Type_call,"web"), mvappend(Type, "webrtc"), Type)

View solution in original post

arjunpkishore5
Motivator

Try this.

| eval Type=if(match(Type_call,"web"), mvappend(Type, "webrtc"), Type)

to4kawa
Ultra Champion
| makeresults 
| eval _raw="Type_call,Type
sip,Audio#Video
sip#web,Audio#Video" 
| multikv forceheader=1 
| foreach "Type*" 
    [ eval <<FIELD>> = split('<<FIELD>>',"#")] 
| table Type_call Type
| nomv Type_call
| eval Type=if(match(Type_call,"web"), mvappend(Type, "webrtc"), Type)

It works, thank you

amir_bnp
Explorer

it works thank you @to4kawa .

I used that :

...| table pole participant type_call_leg type | eval type=if(match(type_call_leg,"acano"), mvappend(type, "webrtc"), type)

and it works with the "match" and not "mvfind"

thank you

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The use of match and nomv rather then mvfind, is an indicator that the field was not multivalue or was hitting some MV field limit. In principle mvfind should work as a general rule.

0 Karma

amir_bnp
Explorer

ok thanks for this clarification.

Amir

0 Karma

arjunpkishore5
Motivator

I hadn't noticed that you have a similar approach in yours. 🙂

0 Karma

amir_bnp
Explorer

thanks to you @arjunpkishore5 also for your request it works with the match

Amir

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw="Type_call,Type
sip,Audio#Video
sip#web,Audio#video"
| multikv forceheader=1
| foreach Type*
    [eval <<FIELD>> = split('<<FIELD>>',"#")]
| table Type_call Type
`comment("this is sample base data")`
| eval Type=if(mvfind(Type_call,"web") > 0, mvappend(Type,"webtrc"),Type)

Hi, try this.

amir_bnp
Explorer

Hello to4kawa,

Thank you for you answer.

How do you do that but without the makeresults and the sample of data and the foreach?

My data is contained as the table above and i have other string in addition to "Audio" and "Video".

I have a field type_call and type and I want to do what I explained above but without using a data sample but with the data contained in the fields as splunk does.

Thank you
Amir

0 Karma

bowesmana
SplunkTrust
SplunkTrust

This is the relevant line that does the work

eval Type=if(mvfind(Type_call,"web") > 0, mvappend(Type,"webtrc"),Type)

The rest is setup. The mvfind is looking for the string 'web' in the Type_call and if found (>0) the it adds the webtrc field to the existing multivalue Type field

to4kawa
Ultra Champion

Thank you @bowesmana , that's right.
so, hi @amir_bnp

| makeresults 
| eval _raw="Type_call,Type
sip,Audio#Video
sip#web,Audio#Video" 
| multikv forceheader=1 
| foreach "Type*" 
    [ eval <<FIELD>> = split('<<FIELD>>',"#")] 
| table Type_call Type

Have you checked this result first?

Type_call      Type
sip            Audio
               Video
----------------------------
sip            Audio
web            Video

From this result, webtrc is added when the query eval is executed.
But if this doesn't work, it seems that Type_call is not multivalue, unlike the example given.

what's your query?

0 Karma

amir_bnp
Explorer

hi @to4kawa ,

your request works for the small table that I gave as an example but how do I change the request for it to work on a table containing the same fields but with thousands of lines?

thank you and sorry if I did not understand at first.

Amir

0 Karma

amir_bnp
Explorer

Hello @bowesmana ,

I already tried this but it didn't work.

In my row which contains "sip" and "web" in the field Type_call, I don't have the "webrtc" which is added in the "Type" fields.

Thanx
Amir

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...