Splunk Search

Field extract and zip them.

Contributor

(product=X Phone , 512 ГБ, золотой,shipMethodCode=E3,qty=1,deliveryType=STH,partNumber=MRU/A,deliveryDate=4 Окт - 11 Окт,commitCode=200,resolvedDate=4 Окт - 11 Окт,product=Phone, (PRODUCT)RED_Phone,shipMethodCode=E3,qty=1,deliveryType=STH,partNumber=M2ZM/A,deliveryDate=Пн 23 Сен,commitCode=24,resolvedDate=Пн 23 Сен)

I want to extract product and commitCode and Zip them.
I want display
Phone;commitCode
X Phone;200
RED_Phone;24

Can someone help please.

0 Karma

Super Champion

Hi @sandeepmakkena,

If you have kv_mode on auto the fields phone and commitCode should be automatically extracted. As shown here :
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Automatickey-valuefieldextractionsatse...

To zip the two fields together with a semi-colon seperator you can use the following eval:

| eval ZippedField=mvzip(phone, commitCode, ";")

Let me know if that helps and if you require a regex for the extraction instead of the automated kv extraction.

Cheers,
David

0 Karma

Super Champion

@sandeepmakkena, please let me know if the answer was helpful and if you need further help.

0 Karma

Champion

hmm your product characters are in different formats.
you have product= and (PRODUCT) , are they the only expected formats before the product name is mentioned in your events?

0 Karma

Contributor

I am new to this data. product= and (PRODUCT) happens when a user orders two or more at one transaction. I am not that's what you're looking for.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!