Splunk Search

How to combine two fields into one after if without losing values

ebs
Communicator

Hi,

I have a uri_path that I want to combine into a single value, and put the combined value back into the original field and I have achieved that with the below search:

index=ping_sandbox uri_path=/as/*/resume/as/authorization
| eval uri=if(like(uri_path, "/as/%/resume/as/authorization"), "resume/as/authorization", uri)
| eval uri_path=mvappend(uri, url_path)

However, not every uri_path is /as/*/resume/as/authorization, and when I remove the uri_path search value, all the other uri_path values are gone.

For example, here's 3 values /1 /2 /3, and if I do the above eval statements for /as/*/resume/as/authorization I don't have /1 /2 or /3 anymore.

Does anyone have any advice on how to do the above eval statements while still retaining the rest of the field values? I only want the eval statements applied if /as/*/resume/as/authorization is present as well

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

It looks like you have 2 typos in your SPL

 

| eval uri=if(like(uri_path, "/as/%/resume/as/authorization"), "resume/as/authorization", uri_path)
| eval uri_path=mvappend(uri, uri_path)

 

3rd param to if should be uri_path - you had uri

2nd param to mvappend() was url_path, should be uri_path

HOWEVER, you can do this with a single line

| eval uri_path=if(like(uri_path, "/as/%/resume/as/authorization"), mvappend("resume/as/authorization", uri_path), uri_path)

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

It looks like you have 2 typos in your SPL

 

| eval uri=if(like(uri_path, "/as/%/resume/as/authorization"), "resume/as/authorization", uri_path)
| eval uri_path=mvappend(uri, uri_path)

 

3rd param to if should be uri_path - you had uri

2nd param to mvappend() was url_path, should be uri_path

HOWEVER, you can do this with a single line

| eval uri_path=if(like(uri_path, "/as/%/resume/as/authorization"), mvappend("resume/as/authorization", uri_path), uri_path)

 

richgalloway
SplunkTrust
SplunkTrust

Have you tried this?

index=ping_sandbox uri_path=*
| eval uri=if(like(uri_path, "/as/%/resume/as/authorization"), "resume/as/authorization", uri)
| eval uri_path=mvappend(uri, url_path)
---
If this reply helps you, an upvote would be appreciated.
0 Karma

ebs
Communicator

Yes, but all the field values are overwritten by the uri field value from the eval if

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...