strip off a part of a search field

sugethakch · ‎11-10-2014

I have a search query that goes like this:
sourcetype="inv" Inv name=* | table name, intf, model, serialnum, mfgname | dedup switchname intf | stats count by ....

I want to do, stats counts by name in this case. If I search by intf=*, then I want to do, stat count by intf and so on.

I tried something like this,
sourcetype="inv" Inv name=* | table name, intf, model, serialnum, mfgname | dedup switchname intf | eval n=rtrim("name=","=") | stats count by n

But, that didn't work. I see why. But, how do I achieve that?

woodcock · ‎05-23-2015

I would use a macro like this in macros.conf:

[MyMacro(1)]
args = fieldname
definition = sourcetype="inv" Inv $fieldname$=* | table name, intf, model, serialnum, mfgname | dedup switchname intf | stats count by $fieldname$

Then call it like this:
... | `MyMacro(name)`
And like this:
... | `MyMacro(intf)`

musskopf · ‎11-10-2014

Just trying to understand the context and your use case... as you'll be changing the first part of the search anyway, why don't update the last bit at same time?

vganjare · ‎04-27-2015

Can macro help in this case?

strip off a part of a search field

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

strip off a part of a search field

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability