Splunk Search

Extract field values by eliminating random strings

Allampally
Path Finder

I have field values as below ,
field1=value1 filed2=server1
field1=service/value2/a1 field2=server2
field1=value3 field2=server3
field1=service/value4/a2 filed2=server4
field1=value5 field2=server5
field1=service/value6/a2 filed2=server4
field1=value7 field2=server6
field1=service/value8/a2 filed2=server2
I am getting few extra strings on field1 from server2 and server4. Now i want to check, if log is from server2 or server4, then truncating pre and post random values and save only actual value
My final output field should be like below
field1=value1; value2; value3; value4; value5; value6.. etc

0 Karma
1 Solution

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval field1="value1",field2="server1" 
| append 
    [| makeresults 
    | eval field1="service/value2/a1",field2="server2"] 
| append 
    [| makeresults 
    | eval field1="service/value4/a2", field2="server4"] 
| eval field1 = if(field2="server2" OR field2="server4",mvindex(split(field1,"/"),1),field1 ) 
| table field1 
| mvcombine delim=";" field1 
| nomv field1

View solution in original post

0 Karma

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval field1="value1",field2="server1" 
| append 
    [| makeresults 
    | eval field1="service/value2/a1",field2="server2"] 
| append 
    [| makeresults 
    | eval field1="service/value4/a2", field2="server4"] 
| eval field1 = if(field2="server2" OR field2="server4",mvindex(split(field1,"/"),1),field1 ) 
| table field1 
| mvcombine delim=";" field1 
| nomv field1
0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...