Re: How to use split in search?

sbimizry · ‎08-02-2019

Hi, how to me use a command split or other command that make two field from one?
Example: Im get a token with text "1** or 2**", I must use this in search | where field=$token$ that get all event with 100-299 number, or using | eval field2=split($token$," or ") and next step using a mvindex(field2, 0), but this not work. And, how to make an exception if in token is "*".

Thanks.

guarisma · ‎08-02-2019

Can you post a sample of the event and what is currently being extracted? it's hard to understand what you are trying to do.

So a Field called token is extracted and it's value could be a String like "121 or 265"?
You could do an extraction on the token field:

... | rex field=token "(?<token1>\d{3})\sor\s(?<token2>\d{3})"

This will create 2 new fields, token1 and token2

FrankVl · ‎08-05-2019

From what I understand (but I agree it is a bit unclear), he has a dashboard with a text input, resulting in a token $token$ . That text input can contain a search string like "1** or 2**" which he would like to apply to a certain field to filter the results.

You might want to take a look at this (rather old) question and answer about manipulating a token: https://answers.splunk.com/answers/127021/manipulate-a-token-string-in-a-form.html

Assuming that approach still works, I think that provides all the ingredients needed to solve your challenge as well.

How to use split in search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation