Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

New field from search results

nburgess1
Explorer
‎02-15-2017 06:27 AM

Hi,

I have a field called "OrgCode" with data like "L6" "L9" "G6" "K6" "K4", which is departments L G and K. I need to get a new field for each department.

Thanks

Tags (1)
0 Karma
Reply

nburgess1
Explorer
‎02-15-2017 09:28 AM

The substr method returns a new field with the first character of the OrgCode field. What I need is a field for DeptL where only the OrgCodes that start with L are in it. Then a DeptK field with only the OrgCodes that start with K are in it, and so on. This seems logical to me but doesn't work:

 eval DeptA=[search OrgCode=A*]
0 Karma
Reply

somesoni2
Revered Legend
‎02-15-2017 09:33 AM

After the field Department/dept is created, you will be able to filter records for a single department.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2017 08:48 AM

Assuming the department code is always the first character of OrgCode, one of these should do the job.

... | rex field=OrgCode "(?<dept>\w)" | ...

... | eval dept = substr(OrgCode, 1, 1) | ...
---
If this reply helps you, Karma would be appreciated.
Reply

somesoni2
Revered Legend
‎02-15-2017 08:45 AM

Try this

your current search which include field OrgCode | eval Deparment=replace(OrgCode,"^([A-z]+)\d+","\1")
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...