I was just looking up the eval substr function in splunk and was wondering if it is possible to get a substring from 0 to a character. basically I have a field that contains two times with a message:
Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT
I basically want to get a substring and grab from the beginning to GMT and set it into a new field Message1 then grab the rest in another substring and put that into message two.
Message1= hello 8/30/2017 01:32:00 GMT
Message2= goodbye 8/30/2017 01:33:00 GMT
Try something like:
| makeresults
| eval _raw="Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT"
| rex "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"
If you don't mind a multivalve field:
| makeresults
| eval _raw="Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT foo 8/30/2017 01:32:00 GMT bar 8/30/2017 01:33:00 GMT"
| rex "Message= (?P<message>.*)" | rex field=message max_match=0 "(?P<Messages>.*?GMT)"
Then you can add this:
| eval Message1=mvindex(message, 0)
| eval Message2=mvindex(message, 1)
| eval Message3=mvindex(message, 2)
| eval Message4=mvindex(message, 3)
| eval Message5=mvindex(message, 4)
Try something like:
| makeresults
| eval _raw="Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT"
| rex "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"
@cpetterborg I basically just want to split whenever I see "GMT" and put it into a new field
@cpetterborg Also there is the possibility of there being more than 2 messages with time stamps.
@cpetterborg There are multiple different events though that have different messages like this in a "Notes" field. will the rex command still work if I just did:
| makeresults | then the rex command you have?
@kdimaria, if your current field is Notes
, you can use just the rex command on that field
<YourBaseSearch>
| rex field=Notes "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"
In case you dont know the field name you can directly apply on _raw data
<YourBaseSearch>
| rex field=_raw "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"
@niketnilay Thank you, I think this will work but now I just remembered that theres a possibility of there being more than two messages so I don't know how I would account for that and might have to approach this problem differently.
@kdimaria, if possible please add some samples.
actually I don't think that'd work