Here's a puzzler for you all.
I have SharePoint search logs coming in. The results field has a value like this:
4##18.3953018188477##docURL##False##False##True##False##||0##18.5134868621826##docURL##False##False##True##False##||2##18.4921894073486##docURL##False##False##True##False##||... etc.
Note that there exist TWO delimiters: || to separate the results sets and ## to separate the values within the result set.
I know I can use split to separate at || and create a MV field. But is it possible from that point to do this:
Or, of course, is there a different way to extract those doc URLs? I want to display them in a report of search string and returned results.
Thanks!
You could use rex or the field extractor to get the URL saved as field. Its hard to give an example for rex without seeing how the search is structured within the docURL, but it might look something like:
| rex "url_base_here(?<docURL>search_string_here)"
You could use rex or the field extractor to get the URL saved as field. Its hard to give an example for rex without seeing how the search is structured within the docURL, but it might look something like:
| rex "url_base_here(?<docURL>search_string_here)"
Since what I'm after will be two fields from each part of the string, I plan to run rex to extract and , then use mvzip() and and mvexpand to create new columns of data.
Thanks for the answer!
How are the events separated at the present moment? Assuming these are already indexed too ?
So your question is focused on a different way to extract the doc urls ? Is there a full actual url in the real data? Or is the it value occurring before (e.g. 18.5134868621826##docURL ) or is it after (e.g. docURL##False)? I'm guessing it isn't the extraction of the literal string 'docURL'.
The string "docURL" is a placeholder for a real URL
Right now there is no separation of the value in that field. It exists in the form I showed you above as a value in a single event.