Splunk Search

How to use the mvindex command to remove all characters after the second period (.) for a field's values?

Builder

Hello,

I am finding difficulty to use the mvindex command to remove all the characters after the second period (.). Below is the column name Asset_name which has those values:

Asset_Name

s.hal.ews.int
n2323paop-34.storage.ews.int

I want the output to be:

s7050qalv.hal
n2323paop-34.storage

Tags (3)
0 Karma
1 Solution

Builder

I got it

eval "Asset Names"=mvindex(split('Asset Names',".ews"),0)

View solution in original post

Motivator

Try this just all by itself:

| gentimes start=-1 | eval Asset_Name="n2323paop-34.storage.ews.int"
| eval "Asset Name"=replace(Asset_Name,"(.+)\.ews.*","\1")
| table "Asset Name" Asset_Name

The 1st line is for setup, the second does the work, and the third shows the two -- before and after.

0 Karma

Ultra Champion

A simplistic replace might be ok for you -
| eval new_Asset_Name = replace(Asset_Name,".ews.int","")

0 Karma

SplunkTrust
SplunkTrust

What is your current query? Is your sample data a single event with two asset names or two events with one asset name each?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Builder

I got it

eval "Asset Names"=mvindex(split('Asset Names',".ews"),0)

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!