Solved: Extract first characters of field if

marco_massari11 · ‎11-30-2020

Hi,

I need to extract first 7 characters of a network device name, like this:

| eval site=substr(Device,1,7) to identify the site

But if the the first 7 characters are equals to site=mysite1 I need also the last 4 charatcters of the device name:

| substr(Device, -4)

If the first 7 characters are !=mysite1 I don't need the last 4

How can I merge those conditions in a unique field? beacause at the end of the query I have :

| chart count(Interface) as Interfaces by site so I need only one eval site field

Thanks in advance!

marco_massari11 · ‎11-30-2020

If the first 7 characters are equal to mysite1, the query takes only the last 4 characters, but I need the first 7 and the last 4. So the solution is:

| eval site=case(substr(Device,1,7)=="mysite1",substr(Device1 , 7) + substr(Device, -4),1=1,substr(Device,1,7) )

Thanksss!

View solution in original post

493669 · ‎11-30-2020

@marco_massari11 Try below

| eval site=case(substr(Device,1,7)=="mysite1",substr(Device, -4),1=1,substr(Device,1,7) )

marco_massari11 · ‎11-30-2020

If the first 7 characters are equal to mysite1, the query takes only the last 4 characters, but I need the first 7 and the last 4. So the solution is:

| eval site=case(substr(Device,1,7)=="mysite1",substr(Device1 , 7) + substr(Device, -4),1=1,substr(Device,1,7) )

Thanksss!

Extract first characters of field if

chart

panel

single value

table

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector