Solved: Extraction of a substring and comparison in a loop

diliptmonson · ‎02-17-2016

Hi,

I need to search for an element A present in one of the fields let's say field 1.

Some of the values present for field1 in various rows are
Row1: field1=C,D
Row2: field1=E,F,A, ....

I need to do a extract each of the elements present before the comma (,) and compare to see if its A across rows.

Is there a way in Splunk to perform this capability?

Any help in solving this is greatly appreciated.

Cheers,
Dilip

renjith_nair · ‎02-18-2016

Try

   your search  |eval Result=if(mvindex(split(field1,","),0) =="A","YES","NO")

---
What goes around comes around. If it helps, hit it with Karma 🙂

somesoni2 · ‎02-18-2016

Do you need to know when row has field1 with A as one of the value?? IF that's the case, you can try like this

your base search | where isnotnull(mvfind(split(find,","),"A"))

renjith_nair · ‎02-18-2016

Try

   your search  |eval Result=if(mvindex(split(field1,","),0) =="A","YES","NO")

---
What goes around comes around. If it helps, hit it with Karma 🙂

Extraction of a substring and comparison in a loop