Hello,
I want to use a line predefined, to extract fields from _raw field.
e.g. "Name||Phone||Address"
==>
... | eval segs=split(_raw, "||")`
| eval Name=mvindex(segs,0) | eval Phone=mvindex(segs,1) ...`
I use the following code
[| stats c
| eval c=split([search index=defined | eval c="\"".replace(_raw,"[\(\)\-\s]","")."\"" | return $c],"||")
| mvexpand c | eval d=1 | accum d | eval d=d-1
| format "" "" "=mvindex(t_segs," ")" " | eval " ""
| eval search=replace(search,"[cd]=\s*","")
| eval search=replace(search,"\s*\"(\d+)\"\s*","\1")
| eval search=replace(search, "\"\s*","") | return $search]
To produce the argument:
`Name=mvindex(segs,0) | eval Phone=mvindex(segs,1) | eval Address=mvindex(seg,2)`
But when the argument is returned to eval:
'index=contacts | eval segs=split(_raw, "||") | eval *[|stats c ... ... return $search]*
It tells me
** Error in 'eval' command: The operator at '| eval Phone=mvindex(segs,1) | eval Address=mvindex(seg,2) ' is invalid. **
I have no idea where the problem is. I think it must be equal to
index=contacts | eval segs=split(_raw, "||")
| eval Name=mvindex(segs,0) | eval Phone=mvindex(segs,1) | eval Address=mvindex(seg,2)
Thanks for your reading and replying!
... View more