How to add a string in the field value when there ...

shivani364 · ‎06-23-2023

I have a field named "port_number" in my results which gives multivalves as follows.

source	destination	port_number
3.4.5.6	22.34.56.78	1234
12.23.43.54	13.45.65.76	1234 3456 4567 8764 2345 2345 2349
12.32.43.54	65.43.21.12	7899 6788 4566 2344

Whereas query is as follows

Index= ABC | stats values(port_number) as port_number by source, destination

Now how can I make the result look like as follows

Expected Outcome :-

source	destination	port_number
3.4.5.6	22.34.56.78	1234
12.23.43.54	13.45.65.76	1234 3456 Check logs for more port numbers
12.32.43.54	65.43.21.12	7899 6788 check logs for more port numbers

As you can see in the above result all I am trying to do is if there are more than 2 values in a field then I would like to add a text instead of displaying all the numbers as some results have more than 100 ports.

richgalloway · ‎06-23-2023

This is a new and interesting question. This should do it.

| eval components=if(mvcount(components)>2, mvappend(mvindex(components,0),mvindex(components,1),"Check logs for more port numbers"), components)

---
If this reply helps you, Karma would be appreciated.

How to add a string in the field value when there are more than 2 values in a field?

eval

field extraction

fields

regex

stats

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases