strip off a part of a search field

sugethakch · ‎11-10-2014

I have a search query that goes like this:
sourcetype="inv" Inv name=* | table name, intf, model, serialnum, mfgname | dedup switchname intf | stats count by ....

I want to do, stats counts by name in this case. If I search by intf=*, then I want to do, stat count by intf and so on.

I tried something like this,
sourcetype="inv" Inv name=* | table name, intf, model, serialnum, mfgname | dedup switchname intf | eval n=rtrim("name=","=") | stats count by n

But, that didn't work. I see why. But, how do I achieve that?

woodcock · ‎05-23-2015

I would use a macro like this in macros.conf:

[MyMacro(1)]
args = fieldname
definition = sourcetype="inv" Inv $fieldname$=* | table name, intf, model, serialnum, mfgname | dedup switchname intf | stats count by $fieldname$

Then call it like this:
... | `MyMacro(name)`
And like this:
... | `MyMacro(intf)`

musskopf · ‎11-10-2014

Just trying to understand the context and your use case... as you'll be changing the first part of the search anyway, why don't update the last bit at same time?

vganjare · ‎04-27-2015

Can macro help in this case?

strip off a part of a search field

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join the Conversation

strip off a part of a search field

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA