Field extract and zip them.

sandeepmakkena · ‎09-20-2019

(product=X Phone , 512 ГБ, золотой,shipMethodCode=E3,qty=1,deliveryType=STH,partNumber=MRU/A,deliveryDate=4 Окт - 11 Окт,commitCode=200,resolvedDate=4 Окт - 11 Окт,product=Phone, (PRODUCT)RED_Phone,shipMethodCode=E3,qty=1,deliveryType=STH,partNumber=M2ZM/A,deliveryDate=Пн 23 Сен,commitCode=24,resolvedDate=Пн 23 Сен)

I want to extract product and commitCode and Zip them.
I want display
Phone;commitCode
X Phone;200
RED_Phone;24

Can someone help please.

DavidHourani · ‎09-22-2019

Hi @sandeepmakkena,

If you have kv_mode on auto the fields phone and commitCode should be automatically extracted. As shown here :
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Automatickey-valuefieldextractionsatse...

To zip the two fields together with a semi-colon seperator you can use the following eval:

| eval ZippedField=mvzip(phone, commitCode, ";")

Let me know if that helps and if you require a regex for the extraction instead of the automated kv extraction.

Cheers,
David

DavidHourani · ‎09-22-2019

@sandeepmakkena, please let me know if the answer was helpful and if you need further help.

Sukisen1981 · ‎09-20-2019

hmm your product characters are in different formats.
you have product= and (PRODUCT) , are they the only expected formats before the product name is mentioned in your events?

sandeepmakkena · ‎09-22-2019

I am new to this data. product= and (PRODUCT) happens when a user orders two or more at one transaction. I am not that's what you're looking for.

Field extract and zip them.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms