Solved: Extract field values by eliminating random strings

Allampally · ‎02-11-2020

I have field values as below ,
field1=value1 filed2=server1
field1=service/value2/a1 field2=server2
field1=value3 field2=server3
field1=service/value4/a2 filed2=server4
field1=value5 field2=server5
field1=service/value6/a2 filed2=server4
field1=value7 field2=server6
field1=service/value8/a2 filed2=server2
I am getting few extra strings on field1 from server2 and server4. Now i want to check, if log is from server2 or server4, then truncating pre and post random values and save only actual value
My final output field should be like below
field1=value1; value2; value3; value4; value5; value6.. etc

vnravikumar · ‎02-11-2020

Hi

Check this

| makeresults 
| eval field1="value1",field2="server1" 
| append 
    [| makeresults 
    | eval field1="service/value2/a1",field2="server2"] 
| append 
    [| makeresults 
    | eval field1="service/value4/a2", field2="server4"] 
| eval field1 = if(field2="server2" OR field2="server4",mvindex(split(field1,"/"),1),field1 ) 
| table field1 
| mvcombine delim=";" field1 
| nomv field1

View solution in original post

vnravikumar · ‎02-11-2020

Hi

Check this

| makeresults 
| eval field1="value1",field2="server1" 
| append 
    [| makeresults 
    | eval field1="service/value2/a1",field2="server2"] 
| append 
    [| makeresults 
    | eval field1="service/value4/a2", field2="server4"] 
| eval field1 = if(field2="server2" OR field2="server4",mvindex(split(field1,"/"),1),field1 ) 
| table field1 
| mvcombine delim=";" field1 
| nomv field1

Extract field values by eliminating random strings

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms