Solved: Extract field values by eliminating random strings

Allampally · ‎02-11-2020

I have field values as below ,
field1=value1 filed2=server1
field1=service/value2/a1 field2=server2
field1=value3 field2=server3
field1=service/value4/a2 filed2=server4
field1=value5 field2=server5
field1=service/value6/a2 filed2=server4
field1=value7 field2=server6
field1=service/value8/a2 filed2=server2
I am getting few extra strings on field1 from server2 and server4. Now i want to check, if log is from server2 or server4, then truncating pre and post random values and save only actual value
My final output field should be like below
field1=value1; value2; value3; value4; value5; value6.. etc

vnravikumar · ‎02-11-2020

Hi

Check this

| makeresults 
| eval field1="value1",field2="server1" 
| append 
    [| makeresults 
    | eval field1="service/value2/a1",field2="server2"] 
| append 
    [| makeresults 
    | eval field1="service/value4/a2", field2="server4"] 
| eval field1 = if(field2="server2" OR field2="server4",mvindex(split(field1,"/"),1),field1 ) 
| table field1 
| mvcombine delim=";" field1 
| nomv field1

View solution in original post

vnravikumar · ‎02-11-2020

Hi

Check this

| makeresults 
| eval field1="value1",field2="server1" 
| append 
    [| makeresults 
    | eval field1="service/value2/a1",field2="server2"] 
| append 
    [| makeresults 
    | eval field1="service/value4/a2", field2="server4"] 
| eval field1 = if(field2="server2" OR field2="server4",mvindex(split(field1,"/"),1),field1 ) 
| table field1 
| mvcombine delim=";" field1 
| nomv field1

Extract field values by eliminating random strings

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest