Solved: Extract field values by eliminating random strings

Allampally · ‎02-11-2020

I have field values as below ,
field1=value1 filed2=server1
field1=service/value2/a1 field2=server2
field1=value3 field2=server3
field1=service/value4/a2 filed2=server4
field1=value5 field2=server5
field1=service/value6/a2 filed2=server4
field1=value7 field2=server6
field1=service/value8/a2 filed2=server2
I am getting few extra strings on field1 from server2 and server4. Now i want to check, if log is from server2 or server4, then truncating pre and post random values and save only actual value
My final output field should be like below
field1=value1; value2; value3; value4; value5; value6.. etc

vnravikumar · ‎02-11-2020

Hi

Check this

| makeresults 
| eval field1="value1",field2="server1" 
| append 
    [| makeresults 
    | eval field1="service/value2/a1",field2="server2"] 
| append 
    [| makeresults 
    | eval field1="service/value4/a2", field2="server4"] 
| eval field1 = if(field2="server2" OR field2="server4",mvindex(split(field1,"/"),1),field1 ) 
| table field1 
| mvcombine delim=";" field1 
| nomv field1

View solution in original post

vnravikumar · ‎02-11-2020

Hi

Check this

| makeresults 
| eval field1="value1",field2="server1" 
| append 
    [| makeresults 
    | eval field1="service/value2/a1",field2="server2"] 
| append 
    [| makeresults 
    | eval field1="service/value4/a2", field2="server4"] 
| eval field1 = if(field2="server2" OR field2="server4",mvindex(split(field1,"/"),1),field1 ) 
| table field1 
| mvcombine delim=";" field1 
| nomv field1

Extract field values by eliminating random strings

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation