Can a group be defined based on a list of variable...

3618475 · ‎05-28-2020

I have an xml file in a logging statement that I extracted 3 instances of the value . These values are correctly displayed in a table in separate columns.
The xml file will have 2 or 3 instances of the value: ****
This is the query:

source="messaging-service.log" sourcetype="hidden" "createMessage MsgSource" | xmlkv  | rex max_match=0 "\<purchCostReference\>(?P<segment>[^\<]+)" | eval Segment1 =  if(isnotnull(mvindex(segment, 0)), "FirstSegment", ""), Segment2 =  if(isnotnull(mvindex(segment, 1)), "SecondSegment", ""),  Segment3 =  if(isnotnull(mvindex(segment, 2)), "ThirdSegment", "")  | table purchCostReference, eventType, Segment1, Segment2, Segment3

I tried using the case statement but it only returns the first value, FirstSegment in the table.

sourcetype... | xmlkv  | rex max_match=0 "\<purchCostReference\>(?P<segment>[^\<]+)" | eval Segments =  case(isnotnull(mvindex(segment, 0)), "FirstSegment", isnotnull(mvindex(segment, 1)), "SecondSegment", isnotnull(mvindex(segment, 2)), "ThirdSegment") |  table purchCostReference, eventType, Segments | eventstats list(Segments) as Segments by purchCostReference, eventType | sort purchCostReference, eventType

I would like there to be 1 column, Segment and the FirstSegment, SecondSegment, ThirdSegment be listed in the column.
Is there any Splunk function that allows me to create a group called 'Segment' and add the variables, FirstSegment, SecondSegment, ThirdSegment to it?

richgalloway · ‎05-29-2020

Use the concatenation operator.

| eval Segment = FirstSegment . " " . SecondSegment . " " . ThirdSegment

---
If this reply helps you, Karma would be appreciated.

Can a group be defined based on a list of variables

eval

field extraction

table

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

Are you a member of the Splunk Community?