Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

position of a string in another string

brettcave
Builder
‎08-06-2012 04:45 AM

I was looking through the functions available for locating the position of 1 string in another string, and couldn't see one (in http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/CommonEvalFunctions).

While mvindex and substr will return the element at a position in a string or mv item, mvfind is meant to return the index of an element in an mv field.

However, is there no function to get the position of a string within another string (e.g. php's strpos function). "match" returns a boolean on matching a string, but if a function that worked the same as match, but returned a numeric value for the number of matches would give a lot more scope to eval.

eval n=match_count("search","[ae]")
// n = 2. 0 means no matches
Reply
1 Solution
Solved! Jump to solution
Solution

brettcave
Builder
‎08-24-2012 02:29 AM 
... | transaction mvlist=t SessionID | ....

mvlist=t - order based on natural order (sequence of events).
mvlist=f - lexigraphical ordering (default)

View solution in original post

Reply
Solved! Jump to solution
Solution

brettcave
Builder
‎08-24-2012 02:29 AM 
... | transaction mvlist=t SessionID | ....

mvlist=t - order based on natural order (sequence of events).
mvlist=f - lexigraphical ordering (default)

Reply
Solved! Jump to solution

brettcave
Builder
‎08-10-2012 04:35 AM

Thanks echalex,

I have been trying to get it to work, but not really coming right. It could possibly be due to a transaction.

Given I have logs:

date - sessionId: xyz, uri: "/"
date - sessionId: xyz, uri: "/login"
date - sessionId: xyz, uri: "/signup"

with the dates increasing, when I add to a transaction, it merges all the entries. So with an mvindex on a split, it should split on the "/login" string, and mvindex 0 should return "date - .... "/".... uri:" but I am not getting it as expected... 😞

someSearch | transaction SessionID | eval n=mvindex(split(uri,"/login"),0)
0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎08-06-2012 06:38 AM

Hi brettcave,
You could split the field into a mv-field and take the length of the first value of the mv-field:

eval foo=mvindex(split(your_field, "your string"),0) |eval bar=if(foo!=your_field,len(foo),-1)

The second eval will give foo the value -1 if "your string" isn't in your_field. Otherwise, it's the index. (To be exact, the number of characters before "your string". Change -1 to whatever you like.

HTH

Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...