How to Filter Table Output?

RahulMisra · ‎09-19-2023

I have an output of

index=feds | fillnull value="" | table httpRequest.clientIp labels{}.name

awswaf:clientip:geo:country:US

awswaf:managed:token:absent

awswaf:clientip:geo:region:US-IL

awswaf:managed:aws:bot-control:signal:non_browser_user_agent

wswaf:clientip:geo:country:US

awswaf:managed:token:absent

awswaf:clientip:geo:region:US-IL

awswaf:managed:aws:bot-control:signal:non_browser_user_agent

wswaf:clientip:geo:country:US

awswaf:managed:token:absent

awswaf:clientip:geo:region:US-IL

awswaf:managed:aws:bot-control:signal:non_browser_user_agent

But need to filter "awswaf:managed:aws:bot-control:signal:non_browser_user_agent" on Table output and see the results only on "awswaf:managed:aws:bot-control:signal:non_browser_user_agent"

ITWhisperer · ‎09-19-2023

If it is always the last item of a multivalue field, you could try something like this

index=feds  | fillnull value="" | table httpRequest.clientIp labels{}.name
| rename "labels{}.name" as name
| eval name=mvindex(name, -1)

RahulMisra · ‎09-19-2023

not always the last 😞

ITWhisperer · ‎09-19-2023

Does it always start with "awswaf:managed"? Or is there some other way to recognise the part you want displayed?

RahulMisra · ‎09-19-2023

Always with that String

ITWhisperer · ‎09-19-2023

You could try extracting just that part from your events. If you want help doing that, you should share some raw events in a code block </> to preserve formatting.

How to Filter Table Output?

table

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Are you a member of the Splunk Community?

How to Filter Table Output?

table

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!