Hello,
How can I extract multiple values from a string after each slash? For example below, I would like to extract field1 with the value "Subscription", field2 with the value "83C4EEEF-XXOA-1234" and so on.
/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS
Thank you.
You could use split instead of rex
| makeresults
| eval _raw="/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS"
| eval parts=split(_raw,"/")
You end up with a multi-value field then you can use mvindex to pull out specific parts.
You can try something like below search. Just go through my sample search and update as per your requirement.
| makeresults
| eval _raw="/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS" | eval uq=1 | accum uq
| eval parts=split(_raw,"/")
| stats count by uq, parts | where parts!=""
| eval a=1 | accum a | eval field{a} = parts | fields - a,count, parts
| stats values(*) as * by uq
Thank you @kamlesh_vaghela ! I tried the section below but the search did not complete its run. It just keeps searching. But the first 3 lines helped to get what I wanted to achieve after adding mvindex.
| stats count by uq, parts | where parts!=""
| eval a=1 | accum a | eval field{a} = parts | fields - a,count, parts
| stats values(*) as * by uq
Thank you for your help and suggestion!
You could use split instead of rex
| makeresults
| eval _raw="/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS"
| eval parts=split(_raw,"/")
You end up with a multi-value field then you can use mvindex to pull out specific parts.
Thanks @ITWhisperer. That looks like a hardcoded entry but the _raw column has unique values in each record. Is there a better way for this?
I am not sure I understand - the first two lines just set up sample data and should be replaced by your search. You will then have a multi-value field called parts for each event returned by your search which you can then select the parts you want into different fields with the mvindex command. If that isn't what you want to do, please explain further
Sorry I misunderstood the first two lines. I've just tried it on my search and it works! I then used mvindex like you suggested to bring out the parts to each new field.
| eval field1=mvindex(parts,0)
Thank you very much sir.