Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

remove all text before certain words in events

trilocho
Loves-to-Learn
‎01-13-2023 08:38 AM

I have events like below

-a3bcd: Info1234x:NullValue

-a3bcd: Info1234x:NullValue

-b3bcd: Info1234x:NullValue2

-c3bcd: Info1234x:NullValue3

 

I managed to produce a table like these

ErrorInfo                                                     Count

a3bcd: Info1234x:NullValue               2

-b3bcd: Info1234x:NullValue2           1

-c3bcd: Info1234x:NullValue3           1

I would like to condense those events into one since they are all same kind of error just different paramter

so it would be like

ErrorInfo                                                     Count

Info1234x:                                                   1


Thanks in advance

 

 

 

 

Labels (3)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-13-2023 08:41 AM 
| eval ErrorInfo = mvindex(split(ErrorInfo, ":"),1)
0 Karma
Reply

trilocho
Loves-to-Learn
‎01-13-2023 11:37 AM

It didt work

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...