Lets say .. My result would produce
a.log
a.log.1
a.log.2
a.log.3
b.log
b.log.1
b.log.2
b.log.3
c.log
c.log.1
c.log.2
c.log.3
I want the final result as
a.log
b.log
c.log
Thoughts ?
Try this run anywhere search
| makeresults | eval field1="a.log a.log1 a.log2 a.log3 " | makemv field1 | mvexpand field1 | appendcols [| makeresults | eval field2="b.log b.log1 b.log2 b.log3 " | makemv field2 | mvexpand field2] | replace a.log* WITH a.log IN field1 | replace b.log* WITH b.log IN field2
Try
| replace a.log* WITH a.log IN fieldname| replace b.log* WITH b.log IN fieldname | so on
replace documentation:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Replace
OR another way is
|eval field1=replace(field1,"(a.log).*","\1"), field2=replace(field2,"(b.log).*","\1"), so on
Try this run anywhere search
| makeresults | eval field1="a.log a.log1 a.log2 a.log3 " | makemv field1 | mvexpand field1 | appendcols [| makeresults | eval field2="b.log b.log1 b.log2 b.log3 " | makemv field2 | mvexpand field2] | replace a.log* WITH a.log IN field1 | replace b.log* WITH b.log IN field2
Try
| replace a.log* WITH a.log IN fieldname| replace b.log* WITH b.log IN fieldname | so on
replace documentation:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Replace
OR another way is
|eval field1=replace(field1,"(a.log).*","\1"), field2=replace(field2,"(b.log).*","\1"), so on
but this wont help as there are 70 varieties of logs
Try something like this..
| makeresults | eval field1="a.log a.log1 a.log2 a.log3 " | makemv field1 | mvexpand field1 | appendcols [| makeresults | eval field2="b.log b.log1 b.log2 b.log3 " | makemv field2 | mvexpand field2] | table field1 field2| foreach field* [eval <<FIELD>>=replace(<<FIELD>>,"^(\w+)(.log).*","\1\2")]
This will do for each and every fieldsfield*
| foreach field* [eval <<FIELD>>=replace(<<FIELD>>,"^(\w+)(.log).*","\1\2")]
It worked!!!!!!! Thank you!!!!!
are these fields or values?
@mayurr98 · these are values