How to Filter Table Output?

RahulMisra · ‎09-19-2023

I have an output of

index=feds | fillnull value="" | table httpRequest.clientIp labels{}.name

awswaf:clientip:geo:country:US

awswaf:managed:token:absent

awswaf:clientip:geo:region:US-IL

awswaf:managed:aws:bot-control:signal:non_browser_user_agent

wswaf:clientip:geo:country:US

awswaf:managed:token:absent

awswaf:clientip:geo:region:US-IL

awswaf:managed:aws:bot-control:signal:non_browser_user_agent

wswaf:clientip:geo:country:US

awswaf:managed:token:absent

awswaf:clientip:geo:region:US-IL

awswaf:managed:aws:bot-control:signal:non_browser_user_agent

But need to filter "awswaf:managed:aws:bot-control:signal:non_browser_user_agent" on Table output and see the results only on "awswaf:managed:aws:bot-control:signal:non_browser_user_agent"

ITWhisperer · ‎09-19-2023

If it is always the last item of a multivalue field, you could try something like this

index=feds  | fillnull value="" | table httpRequest.clientIp labels{}.name
| rename "labels{}.name" as name
| eval name=mvindex(name, -1)

RahulMisra · ‎09-19-2023

not always the last 😞

ITWhisperer · ‎09-19-2023

Does it always start with "awswaf:managed"? Or is there some other way to recognise the part you want displayed?

RahulMisra · ‎09-19-2023

Always with that String

ITWhisperer · ‎09-19-2023

You could try extracting just that part from your events. If you want help doing that, you should share some raw events in a code block </> to preserve formatting.

How to Filter Table Output?

table

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!