Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Filter Table Output?

RahulMisra
Engager
‎09-19-2023 03:45 AM

I have an output of

 

index=feds  | fillnull value="" | table httpRequest.clientIp labels{}.name

awswaf:clientip:geo:country:US
awswaf:managed:token:absent
awswaf:clientip:geo:region:US-IL
awswaf:managed:aws:bot-control:signal:non_browser_user_agent
 
wswaf:clientip:geo:country:US
awswaf:managed:token:absent
awswaf:clientip:geo:region:US-IL
awswaf:managed:aws:bot-control:signal:non_browser_user_agent
 
wswaf:clientip:geo:country:US
awswaf:managed:token:absent
awswaf:clientip:geo:region:US-IL
awswaf:managed:aws:bot-control:signal:non_browser_user_agent
 
But need to filter "awswaf:managed:aws:bot-control:signal:non_browser_user_agent" on Table output and see the results only on "awswaf:managed:aws:bot-control:signal:non_browser_user_agent"
Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 03:49 AM

If it is always the last item of a multivalue field, you could try something like this

index=feds  | fillnull value="" | table httpRequest.clientIp labels{}.name
| rename "labels{}.name" as name
| eval name=mvindex(name, -1)
0 Karma
Reply

RahulMisra
Engager
‎09-19-2023 04:41 AM

not always the last 😞

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 04:43 AM

Does it always start with "awswaf:managed"? Or is there some other way to recognise the part you want displayed?

0 Karma
Reply

RahulMisra
Engager
‎09-19-2023 04:47 AM

Always with that String

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 08:13 AM

You could try extracting just that part from your events. If you want help doing that, you should share some raw events in a code block </> to preserve formatting.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...