Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use split in search?

sbimizry
Engager
‎08-02-2019 03:04 AM

Hi, how to me use a command split or other command that make two field from one?
Example: Im get a token with text "1** or 2**", I must use this in search | where field=$token$ that get all event with 100-299 number, or using | eval field2=split($token$," or ") and next step using a mvindex(field2, 0), but this not work. And, how to make an exception if in token is "*".

Thanks.

Tags (2)
0 Karma
Reply

guarisma
Contributor
‎08-02-2019 07:45 AM

Can you post a sample of the event and what is currently being extracted? it's hard to understand what you are trying to do.

So a Field called token is extracted and it's value could be a String like "121 or 265"?
You could do an extraction on the token field:

... | rex field=token "(?<token1>\d{3})\sor\s(?<token2>\d{3})"

This will create 2 new fields, token1 and token2

0 Karma
Reply

FrankVl
Ultra Champion
‎08-05-2019 03:37 AM

From what I understand (but I agree it is a bit unclear), he has a dashboard with a text input, resulting in a token $token$. That text input can contain a search string like "1** or 2**" which he would like to apply to a certain field to filter the results.

You might want to take a look at this (rather old) question and answer about manipulating a token: https://answers.splunk.com/answers/127021/manipulate-a-token-string-in-a-form.html

Assuming that approach still works, I think that provides all the ingredients needed to solve your challenge as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...