A standard eval if match example is below.
Any ViewUrl value which starts with /company/.* has the entire string replaced with only "/company/*"
my search | eval ViewUrl=if(match(ViewUrl,"/company/.*"), "/company/*", ViewUrl)
Is it possible to do this dynamically from a list of values?
For example instead of only having the single value of "/company/*" I have around 500 values in a lookup or populated from a sub-search.
I could write this out manually as below, however this is impractical.
my search | eval ViewUrl=if(match(ViewUrl,"value1"),"value1",ViewUrl)
| eval ViewUrl=if(match(ViewUrl,"value2"),"value2",ViewUrl)
| eval ViewUrl=if(match(ViewUrl,"value3"),"value3",ViewUrl)
| eval ViewUrl=if(match(ViewUrl,"valuen"),"valuen",ViewUrl)
Is there a way of using a loop or the for each command to achieve the above in a few lines instead of hundreds?
Thanks,
Dan
@DanielFordWA Is your problem resolved? If so, please accept the answer to help future readers.
what about creating a custom command or external lookup? you can just pass the viewURL value to the python script where you will handle the matching part. Then from python script you will return the data to splunk.
Sid
Splunk is not very practical but I managed to make 500
"| eval ViewUrl=if(match(ViewUrl,"valueX"),"valueX",ViewUrl)"
Why don't you use a lookup? What is your base search?
$your search
| streamstats count AS a
| map search="makeresults count=500 |head 1| eval a = $a$+ 1" maxsearches=500
| transpose 500
| eval column = 1
| foreach column row*
[ eval value<<MATCHSTR>> = "value<<MATCHSTR>>" ]
| fields val*
| fields - value
| foreach value*
[ eval ViewUrl=if(match(ViewUrl,"<<MATCHSTR>>"),"<<MATCHSTR>>",ViewUrl) ]
Is it just a front match? Also, may there be multiple matches?
I think we can use a lookup if it is just a forward match.
https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html
It can not be set in GUI when wild card is used. You need to edit the configuration file.
I downvoted this post because links off site to pay wall solution with no answer given.
Excuse me. Since I was using the URL example, I used it without knowing it as a link of a paid site. The link was fixed to Answer.
Also linking off site to a pay walled solution is not really what Splunk answers is about.
Just a front match