- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
damucka
Builder
06-18-2019
02:54 AM
Hello,
I need to concatenate two variables including strings (e-mail lists) into one.
the code I use for that is the following:
index=mlbso_changelog sourcetype="*_crashdumps" crash_context OR crash_stack OR crash_shortinfo NOT "table of contents"| reverse
| rex field=source "\/.+_(?P<DBSID>.+)\/(?P<service>.+)\_(?<filenameend>.+)$"
| eval filename = service."_".filenameend
| eval PRIO = "P1"
| lookup email_groups.csv DBSID OUTPUT email_recipients_DBSID AS email_recipients_DBSID
| lookup email_groups_critical_alerts.csv "PRIO" OUTPUT email_recipients_critical_alerts AS email_recipients_critical_alerts
| eval email_recipients=email_recipients_critical_alerts+";"+email_recipients_DBSID
So, it all seems to be quite straightforward. However when one of the components is empty (email_recipients_critical_alerts or email_recipients_DBSID) then also the result - email_recipients does not get set. Actually I would expect from the concatenation to set it at least to the other component.
Could you please advise?
Kind Regards,
Kamil
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
damucka
Builder
06-18-2019
04:41 AM
found an answer in another question:
| strcat email_recipients_critical_alerts ";" email_recipients_DBSID email_recipients
Regards,
Kamil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
damucka
Builder
06-18-2019
04:41 AM
found an answer in another question:
| strcat email_recipients_critical_alerts ";" email_recipients_DBSID email_recipients
Regards,
Kamil
