Nithya
Nithya

Reputation: 1

Splunk Query to get comma separated value as single value

In logs we have a value "device=xyz,1" here we need to consider "xyz,1" as a single value and display it in a table format. But now when we run a query it just displays device value as "xyz" and misses out ",1". how to consider it as a single value.

Query example: ....|eval device = if(isnull(device), "notFound", device) | table device

from above query Expection:
Table should have column name as device and value should be "xyz,1"

What is actually happening:
Table has column name as device but value is "xyz"

I have tried mvjoin but it's not helping.

Please suggest a solution

Upvotes: 0

Views: 961

Answers (1)

warren
warren

Reputation: 33473

You may need to custom-extract the value (until you can get the sourcetype's props.conf and transforms.conf updated).

Something like this should work:

<search>
| rex field=_raw "device=(<device>\S+)"
<rest of search>

Upvotes: 2

Related Questions