Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

removing last two characters from results

mcbradford
Contributor
‎09-29-2011 03:08 PM

My search looks like this:

index=webproxy | regex user=".+a" | top 100 user

results are j9999la

I want to list the real result, but also remove anything after the first 5 character and display this also.

The result j9999 can be used in a lookup to give me a person's name.

So what I really want to see is

user               user_name               real_name
j9999la            j9999                   John Doe

If I get the everything after the 5th character removed - I can handle the rest

UPDATE

This does exactly what I want it to do, but I thought I would be able to figure out the second part - not really...

So, the results of user_name relate to a person. If the results of the user_name were part of the original data and it was called user - I would have additional fields returned with information on the user, such as full name, location, phone, etc.

We query an employee database twice a day to populate a csv containing all the employees.

How can I pass my results of user_name to the csv to populate the employee data?

BTW - not sure how we do this, but I do not pass anything to the csv now - it is just part of my data. This was setup by professional services.

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-30-2011 11:13 AM

mcbradford, I took your answer below and merged it into the original question as an update. The answers system lets you edit your original question/answer as necessary.

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎09-30-2011 08:44 AM

Have you taken a look at the following search commands:

outputlookup
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup

outputcsv
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputcsv

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-29-2011 09:27 PM

The easiest way is probably to use the substr function within eval. 

index=webproxy | regex user=".+a" | top 100 user | eval user_name=substr(user,1,5) ...

UPDATE

Assuming your user lookup table is defined in transforms.conf as user_list. This should let you pull data from it into your current search data:

index=webproxy | regex user=".+a" | top 100 user | eval user_name=substr(user,1,5)
| lookup user_list

Your transforms.conf stanza for user_list might look as follows:

[user_list]
filename=userlist.csv

Some relevant documentation is available at http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup and http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Addfieldsfromexternaldatasources

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...