Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can a group be defined based on a list of variables

3618475
Engager
‎05-28-2020 05:57 PM

I have an xml file in a logging statement that I extracted 3 instances of the value . These values are correctly displayed in a table in separate columns.
The xml file will have 2 or 3 instances of the value: ****
This is the query:

source="messaging-service.log" sourcetype="hidden" "createMessage MsgSource" | xmlkv  | rex max_match=0 "\<purchCostReference\>(?P<segment>[^\<]+)" | eval Segment1 =  if(isnotnull(mvindex(segment, 0)), "FirstSegment", ""), Segment2 =  if(isnotnull(mvindex(segment, 1)), "SecondSegment", ""),  Segment3 =  if(isnotnull(mvindex(segment, 2)), "ThirdSegment", "")  | table purchCostReference, eventType, Segment1, Segment2, Segment3

I tried using the case statement but it only returns the first value, FirstSegment in the table.

sourcetype... | xmlkv  | rex max_match=0 "\<purchCostReference\>(?P<segment>[^\<]+)" | eval Segments =  case(isnotnull(mvindex(segment, 0)), "FirstSegment", isnotnull(mvindex(segment, 1)), "SecondSegment", isnotnull(mvindex(segment, 2)), "ThirdSegment") |  table purchCostReference, eventType, Segments | eventstats list(Segments) as Segments by purchCostReference, eventType | sort purchCostReference, eventType

I would like there to be 1 column, Segment and the FirstSegment, SecondSegment, ThirdSegment be listed in the column.
Is there any Splunk function that allows me to create a group called 'Segment' and add the variables, FirstSegment, SecondSegment, ThirdSegment to it?

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2020 07:03 AM

Use the concatenation operator.

| eval Segment = FirstSegment . " " . SecondSegment . " " . ThirdSegment
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...