Hi there.
A simple question.
I know, i can use "rex", as usual, to do the job, or other methods (fields extraction, definition etc... in WebIf in SearhHead), or do it directly in Indexers. props/transforms.. but, i'm curious to know if this can be made , easily, with a simple SPL command (like "extract" or "multikv", for example)...
Log has no header, so looks like... only key-value, no key-name and not an header,
timestamp;field1value;field2value;field3value;fieldNvalue
Can a SPL command (not rex 😉 ) extract those fields, also with temporary names (to rename then), in a simple way? Thanks.
You could split the field using ";" as the delimiter, then eval your renamed fields using mvindex to pull out each one from the mv field
This is really what a need to do 😏
mysearch
| eval fields=split(_raw,";") , field1=mvindex(fields,1) , field2=mvindex(fields,2) , field3=mvindex(fields,3) , field4=mvindex(fields,4)
| table _raw fields field1 field2 field3 field4
Response,
"timestamp;field1value;field2value;field3value;fieldNvalue" "THE_MV_SPLITTED_FIELDS" FIELD1 FIELD2 FIELD3 FIELD4
... now i can work with all named extracted fields...
... went perfect 😁 it was under my eyes, as usual, and i didn't see it 😎
Thanks..... 👍
how to identify which is field and which is value if there is no delimiter.
timestamp;field1value;field2value;field3value;fieldNvalue