Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use split in search?

sbimizry
Engager
‎08-02-2019 03:04 AM

Hi, how to me use a command split or other command that make two field from one?
Example: Im get a token with text "1** or 2**", I must use this in search | where field=$token$ that get all event with 100-299 number, or using | eval field2=split($token$," or ") and next step using a mvindex(field2, 0), but this not work. And, how to make an exception if in token is "*".

Thanks.

Tags (2)
0 Karma
Reply

guarisma
Contributor
‎08-02-2019 07:45 AM

Can you post a sample of the event and what is currently being extracted? it's hard to understand what you are trying to do.

So a Field called token is extracted and it's value could be a String like "121 or 265"?
You could do an extraction on the token field:

... | rex field=token "(?<token1>\d{3})\sor\s(?<token2>\d{3})"

This will create 2 new fields, token1 and token2

0 Karma
Reply

FrankVl
Ultra Champion
‎08-05-2019 03:37 AM

From what I understand (but I agree it is a bit unclear), he has a dashboard with a text input, resulting in a token $token$. That text input can contain a search string like "1** or 2**" which he would like to apply to a certain field to filter the results.

You might want to take a look at this (rather old) question and answer about manipulating a token: https://answers.splunk.com/answers/127021/manipulate-a-token-string-in-a-form.html

Assuming that approach still works, I think that provides all the ingredients needed to solve your challenge as well.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...