How to list all the values which are greater than ...

bollam · ‎07-25-2018

I have following values for a field="Listdir". I want to get the only the values which contains 3 or more directories.

/opt/test/class/
/opt/
/opt/test/learn/
/opt/test/
/opt/test/class/file/
/opt/
/opt/test/class/file/location/users/
/opt/test/class/
/opt/test/class/bin/
/opt/

The output should look like below:
/opt/test/class/
/opt/test/learn/
/opt/test/class/file/
/opt/test/class/file/location/users/
/opt/test/class/bin/

HiroshiSatoh · ‎07-25-2018

How's this?

ex)
    | makeresults |eval text="/opt/test/class/file/location/users/"
    |eval result=split(text ,"/"),count=mvcount(result)
    |where count>3

knielsen · ‎07-25-2018

You could filter with the regex command maybe.

run all example:
| makeresults | eval Listdir="/opt/test/class/#/opt/#/opt/test/learn/#/opt/test/class/file/#/opt/#/opt/test/class/file/location/users/" | makemv delim="#" Listdir | mvexpand Listdir | regex Listdir="(\/[^\/]+){3}/*"

So the last line is the actual filter, the rest was to test it. 🙂

Hth,
-Kai.

bollam · ‎07-25-2018

@knielsen Thanks for the quick response!! Actually, The field contains dynamic values and values are more than 100, How do I get results in the case where we do not know the exact values of field "Listdir"? I need to filter out the values which contains more than 3 directories from all the values of the field "Listdir".

knielsen · ‎07-25-2018

Well, this should work already for any list. The filter is "(\/[^\/]+){3}/*" regardless of the directory names, I just filtered for anything that has at least three leading sections with "/...".

How to list all the values which are greater than or equal to three after splitting?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!