Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

removing last two characters from results

mcbradford
Contributor
‎09-29-2011 03:08 PM

My search looks like this:

index=webproxy | regex user=".+a" | top 100 user

results are j9999la

I want to list the real result, but also remove anything after the first 5 character and display this also.

The result j9999 can be used in a lookup to give me a person's name.

So what I really want to see is

user               user_name               real_name
j9999la            j9999                   John Doe

If I get the everything after the 5th character removed - I can handle the rest

UPDATE

This does exactly what I want it to do, but I thought I would be able to figure out the second part - not really...

So, the results of user_name relate to a person. If the results of the user_name were part of the original data and it was called user - I would have additional fields returned with information on the user, such as full name, location, phone, etc.

We query an employee database twice a day to populate a csv containing all the employees.

How can I pass my results of user_name to the csv to populate the employee data?

BTW - not sure how we do this, but I do not pass anything to the csv now - it is just part of my data. This was setup by professional services.

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-30-2011 11:13 AM

mcbradford, I took your answer below and merged it into the original question as an update. The answers system lets you edit your original question/answer as necessary.

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎09-30-2011 08:44 AM

Have you taken a look at the following search commands:

outputlookup
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup

outputcsv
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputcsv

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-29-2011 09:27 PM

The easiest way is probably to use the substr function within eval. 

index=webproxy | regex user=".+a" | top 100 user | eval user_name=substr(user,1,5) ...

UPDATE

Assuming your user lookup table is defined in transforms.conf as user_list. This should let you pull data from it into your current search data:

index=webproxy | regex user=".+a" | top 100 user | eval user_name=substr(user,1,5)
| lookup user_list

Your transforms.conf stanza for user_list might look as follows:

[user_list]
filename=userlist.csv

Some relevant documentation is available at http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup and http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Addfieldsfromexternaldatasources

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...