Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

merge a string in a list relatively to another string

amir_bnp
Explorer
‎12-06-2019 01:46 AM

Hello everyone,

I want to add a string in a list which is in a field compared to another string which also is in another field.

alt text

I want to add the string "webrtc" in the list in the field Type where in the field Type_call there is "web"

I tried with the command eval(if(in)) but it didn't start because it replace the entire list in Type by "webrtc"

How can do that, please ?

Thank you

splunk-resquest.jpg
Preview file
19 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

arjunpkishore5
Motivator
‎12-09-2019 03:50 AM

Try this.

| eval Type=if(match(Type_call,"web"), mvappend(Type, "webrtc"), Type)

View solution in original post

Reply
Solved! Jump to solution
Solution

arjunpkishore5
Motivator
‎12-09-2019 03:50 AM

Try this.

| eval Type=if(match(Type_call,"web"), mvappend(Type, "webrtc"), Type)
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-09-2019 03:56 AM 
| makeresults 
| eval _raw="Type_call,Type
sip,Audio#Video
sip#web,Audio#Video" 
| multikv forceheader=1 
| foreach "Type*" 
    [ eval <<FIELD>> = split('<<FIELD>>',"#")] 
| table Type_call Type
| nomv Type_call
| eval Type=if(match(Type_call,"web"), mvappend(Type, "webrtc"), Type)

It works, thank you

Reply
Solved! Jump to solution

amir_bnp
Explorer
‎12-09-2019 05:00 AM

it works thank you @to4kawa .

I used that :

...| table pole participant type_call_leg type | eval type=if(match(type_call_leg,"acano"), mvappend(type, "webrtc"), type)

and it works with the "match" and not "mvfind"

thank you

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎12-10-2019 02:20 AM

The use of match and nomv rather then mvfind, is an indicator that the field was not multivalue or was hitting some MV field limit. In principle mvfind should work as a general rule.

0 Karma
Reply
Solved! Jump to solution

amir_bnp
Explorer
‎12-10-2019 02:28 AM

ok thanks for this clarification.

Amir

0 Karma
Reply
Solved! Jump to solution

arjunpkishore5
Motivator
‎12-09-2019 04:01 AM

I hadn't noticed that you have a similar approach in yours. 🙂

0 Karma
Reply
Solved! Jump to solution

amir_bnp
Explorer
‎12-09-2019 05:05 AM

thanks to you @arjunpkishore5 also for your request it works with the match

Amir

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-06-2019 04:55 AM 
| makeresults 
| eval _raw="Type_call,Type
sip,Audio#Video
sip#web,Audio#video"
| multikv forceheader=1
| foreach Type*
    [eval <<FIELD>> = split('<<FIELD>>',"#")]
| table Type_call Type
`comment("this is sample base data")`
| eval Type=if(mvfind(Type_call,"web") > 0, mvappend(Type,"webtrc"),Type)

Hi, try this.

Reply
Solved! Jump to solution

amir_bnp
Explorer
‎12-09-2019 12:30 AM

Hello to4kawa,

Thank you for you answer.

How do you do that but without the makeresults and the sample of data and the foreach?

My data is contained as the table above and i have other string in addition to "Audio" and "Video".

I have a field type_call and type and I want to do what I explained above but without using a data sample but with the data contained in the fields as splunk does.

Thank you
Amir

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎12-09-2019 02:34 AM

This is the relevant line that does the work

eval Type=if(mvfind(Type_call,"web") > 0, mvappend(Type,"webtrc"),Type)

The rest is setup. The mvfind is looking for the string 'web' in the Type_call and if found (>0) the it adds the webtrc field to the existing multivalue Type field

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-09-2019 03:20 AM

Thank you @bowesmana , that's right.
so, hi @amir_bnp 

| makeresults 
| eval _raw="Type_call,Type
sip,Audio#Video
sip#web,Audio#Video" 
| multikv forceheader=1 
| foreach "Type*" 
    [ eval <<FIELD>> = split('<<FIELD>>',"#")] 
| table Type_call Type

Have you checked this result first?

Type_call      Type
sip            Audio
               Video
----------------------------
sip            Audio
web            Video

From this result, webtrc is added when the query eval is executed.
But if this doesn't work, it seems that Type_call is not multivalue, unlike the example given.

what's your query?

0 Karma
Reply
Solved! Jump to solution

amir_bnp
Explorer
‎12-09-2019 04:49 AM

hi @to4kawa ,

your request works for the small table that I gave as an example but how do I change the request for it to work on a table containing the same fields but with thousands of lines?

thank you and sorry if I did not understand at first.

Amir

0 Karma
Reply
Solved! Jump to solution

amir_bnp
Explorer
‎12-09-2019 02:44 AM

Hello @bowesmana ,

I already tried this but it didn't work.

In my row which contains "sip" and "web" in the field Type_call, I don't have the "webrtc" which is added in the "Type" fields.

Thanx
Amir

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top