- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- position of a string in another string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was looking through the functions available for locating the position of 1 string in another string, and couldn't see one (in http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/CommonEvalFunctions).
While mvindex and substr will return the element at a position in a string or mv item, mvfind is meant to return the index of an element in an mv field.
However, is there no function to get the position of a string within another string (e.g. php's strpos function). "match" returns a boolean on matching a string, but if a function that worked the same as match, but returned a numeric value for the number of matches would give a lot more scope to eval.
eval n=match_count("search","[ae]")
// n = 2. 0 means no matches
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
... | transaction mvlist=t SessionID | ....
mvlist=t - order based on natural order (sequence of events).
mvlist=f - lexigraphical ordering (default)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
... | transaction mvlist=t SessionID | ....
mvlist=t - order based on natural order (sequence of events).
mvlist=f - lexigraphical ordering (default)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks echalex,
I have been trying to get it to work, but not really coming right. It could possibly be due to a transaction.
Given I have logs:
date - sessionId: xyz, uri: "/"
date - sessionId: xyz, uri: "/login"
date - sessionId: xyz, uri: "/signup"
with the dates increasing, when I add to a transaction, it merges all the entries. So with an mvindex on a split, it should split on the "/login" string, and mvindex 0 should return "date - .... "/".... uri:" but I am not getting it as expected... 😞
someSearch | transaction SessionID | eval n=mvindex(split(uri,"/login"),0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi brettcave,
You could split the field into a mv-field and take the length of the first value of the mv-field:
eval foo=mvindex(split(your_field, "your string"),0) |eval bar=if(foo!=your_field,len(foo),-1)
The second eval will give foo the value -1 if "your string" isn't in your_field. Otherwise, it's the index. (To be exact, the number of characters before "your string". Change -1 to whatever you like.
HTH
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
