Hi,
I'm trying to extract the unique values for specific fields. You would use the following command in unix:
cut -d"," -f1
How would do it in splunk search bar?
Thanks!
How about
... | makemv delim="," _raw | eval yourfield=mvindex(_raw,0)
Or if you prefer using regex,
... | rex "^(?<yourfield>[^,]+)"
What difference would you be expecting? The raw events will still look the same - the difference would be that the field yourfield
is created and should contain the data you want to extract.
Hi Ayn,
I'm sorry but I don't see the difference in results with or without these additional commands.
So you are wanting to extract the date and what appears to be some statistic (avg response/seek time?), right? Have you tried using Field Extractions? Check it out at http://docs.splunk.com/Documentation/Splunk/4.3.3/Knowledge/Addfieldsatsearchtime.
This is the sample data.
asmbkp20 [32; RAID 5; blade01-rac1; blade02-rac2; blade03-rac3],05/08/2013 11:18:52,APM00083400778,A,0.322061,0.322061
There are like 134+ fields there (not shown) and I'm only interested in field 1 and 4 (DELIMS=","). Upon extracting the fields 1 and 4, I'd like to create a bar chart showing values at different time of the day/week, etc.
Can you show us a sample event as well as the output you would like to see?