A standard eval if match example is below.
Any ViewUrl value which starts with /company/.* has the entire string replaced with only "/company/*"
my search | eval ViewUrl=if(match(ViewUrl,"/company/.*"), "/company/*", ViewUrl)
Is it possible to do this dynamically from a list of values?
For example instead of only having the single value of "/company/*" I have around 500 values in a lookup or populated from a sub-search.
I could write this out manually as below, however this is impractical.
my search | eval ViewUrl=if(match(ViewUrl,"value1"),"value1",ViewUrl) | eval ViewUrl=if(match(ViewUrl,"value2"),"value2",ViewUrl) | eval ViewUrl=if(match(ViewUrl,"value3"),"value3",ViewUrl) | eval ViewUrl=if(match(ViewUrl,"valuen"),"valuen",ViewUrl)
Is there a way of using a loop or the for each command to achieve the above in a few lines instead of hundreds?
what about creating a custom command or external lookup? you can just pass the viewURL value to the python script where you will handle the matching part. Then from python script you will return the data to splunk.
Splunk is not very practical but I managed to make 500
"| eval ViewUrl=if(match(ViewUrl,"valueX"),"valueX",ViewUrl)"
Why don't you use a lookup? What is your base search?
$your search | streamstats count AS a | map search="makeresults count=500 |head 1| eval a = $a$+ 1" maxsearches=500 | transpose 500 | eval column = 1 | foreach column row* [ eval value<<MATCHSTR>> = "value<<MATCHSTR>>" ] | fields val* | fields - value | foreach value* [ eval ViewUrl=if(match(ViewUrl,"<<MATCHSTR>>"),"<<MATCHSTR>>",ViewUrl) ]
Is it just a front match? Also, may there be multiple matches?
I think we can use a lookup if it is just a forward match.
It can not be set in GUI when wild card is used. You need to edit the configuration file.