Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create new fields based on value of another fields.

paragvidhi
Engager
‎05-08-2020 08:17 AM

Hi All,
In my log, I have one field called ServerName. Below are some values of that field.

DAAPP2aBANG2
DFAPP20bLON2
UATSER1aUS1
UATSER1bUS2

We differentiate the above server with node A and node B based on the first character we got after the first occurrence of one or more digit.

DAAPP2aBANG2 -- its node a
DFAPP20bLON2 --- its node b
UATSER1aUS1 --- its node a
UATSER1bUS2 --- its node b

Here I want to create two fields called NodeA, and NodeB

In NodeA it should contain DAAPP2aBANG2 ,UATSER1aUS1
In NodeB it should contain DFAPP20bLON2, UATSER1bUS2

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2020 08:32 AM

Hi @paragvidhi,
you could try something like this:

index=your_index
| rex field=ServerName "\w+\d(?<Node>a|b)"
| eval Node="Node ".Node
| table ServerName Node

You can test the regex at https://regex101.com/r/jLeU1f/1

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...