Solved: How to create new field from a mv comma separated ...

clozach · ‎06-20-2019

My IP field will come in as the following:

1.1.1.1,2.2.2.2

I need to extract the first IP and store it in another field (origin_ip) so that origin_ip's value is solely:

1.1.1.1

Thanks

woodcock · ‎06-20-2019

You can do this as a calculated field

| makeresults | eval ip="1.1.1.1,2.2.2.2"
| eval origin_ip=replace(ip,",.*$","")

jnudell_2 · ‎06-21-2019

You could try:

... search stuff ...

| eval origin_ip = mvindex(split(myipfield, ","), 0)

OR

... search stuff ...

| eval origin_ip = replace(myipfield, ",.*", "")

woodcock · ‎06-20-2019

You can do this as a calculated field

| makeresults | eval ip="1.1.1.1,2.2.2.2"
| eval origin_ip=replace(ip,",.*$","")

richgalloway · ‎06-20-2019

There are a couple of ways to do that (possibly more)

... | rex field=ip "(?<origin_ip>[^,]+)" | ...

... | eval ips = split(ip, ",") | eval origin_ip = mvindex(ips, 0) | ...

---
If this reply helps you, Karma would be appreciated.

How to create new field from a mv comma separated ip value field?