- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- makemv and mvindex not working as expected
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am working with JSON data type events and am trying to extract the username (user1, user2) from the pathspec data structure in my events (sample below) :
"pathspec": {"__type__": "PathSpec", "location": "/media/APA_windows/Users/user1/AppData/Local/Microsoft/Windows/UsrClass.dat", "type_indicator": "OS"}
"pathspec": {"__type__": "PathSpec", "location": "/media/APA_windows/Users/user2/AppData/Local/Microsoft/Windows/UsrClass.dat", "type_indicator": "OS"}
I am using the below SPL to split up pathspec.location into a multi value field and then use mvindex :
..... | makemv delim="/" pathspec.location
| eval user_name = mvindex(pathspec.location, 3)
However when I table out the user_name field it does not show any results. Not sure why this is not working. Any suggestions would be helpful
Desired output from the user_name field would be
user1
user2
.
.
.
.
.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field names containing special characters should be surrounded with single quotes when used in eval expressions:
| eval user_name = mvindex('pathspec.location', 3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome ! That worked @tscroggins ! Thanks a lot for helping out.
Could you point me to a link, if possible, to what Splunk considers as special characters ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The exact wording in documentation [1] (emphasis Splunk's):
If the expression references a field name that contains non-alphanumeric characters, other than the underscore ( _ ) character, the field name needs to be surrounded by single quotation marks. For example, if the field name is server-1 you specify the field name like this new=count+'server-1'.
I.e. Any character other then 0-9, A-Z, a-z, and _.
1. https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Eval
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field names containing special characters should be surrounded with single quotes when used in eval expressions:
| eval user_name = mvindex('pathspec.location', 3)
Monitoring MariaDB and MySQL
Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...
Splunk Federated Analytics for Amazon Security Lake
