Solved: Re: split the filed with a hyphen "-" separator

Allampally · ‎05-27-2019

Hi Team,

I have a index below and i want to split the index values and create a new field with it.
Example
index=app-production
index=app-sit
index=app-uat.... etc.
i want to create a new filed as "Environment" and add the splitted values to it such as
Environment field should have "production, sit, uat, .." values

kamlesh_vaghela · ‎05-27-2019

@Allampally

Can you please try this?

YOUR_SEARCH | eval Environment=mvindex(split(index,"-"),1)

Sample search:

| makeresults | eval index="app-production" | eval Environment=mvindex(split(index,"-"),1)

View solution in original post

DavidHourani · ‎05-27-2019

Hi @Allampally,

Both solutions here from @kamlesh_vaghela and @koshyk will do what you're looking for. If you need a more permanent solution please add the following to your sourcetype in props.conf:

[yoursourcetype]
EVAL-Environment=mvindex(split(index,"-"),1)

This will always include the Environment search in all your queries without having to append anything to your search.

Cheers,
David

koshyk · ‎05-27-2019

alternatively you could use rex command too

 | makeresults | eval index="app-production" | rex field=index "\w+\-(?<Environment>\w+)"

cheers

kamlesh_vaghela · ‎05-27-2019

@Allampally

Can you please try this?

YOUR_SEARCH | eval Environment=mvindex(split(index,"-"),1)

Sample search:

| makeresults | eval index="app-production" | eval Environment=mvindex(split(index,"-"),1)

split the filed with a hyphen "-" separator

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...