Usage of Splunk EVAL Function : SPLIT

Usage of Splunk EVAL Function : SPLIT

Usage of Splunk EVAL Function : SPLIT

  • This function takes two arguments( X and Y ).
  • So X will be any field name and Y will the delimiter.
  • This function splits the values of X on basis of Y and returns X field values as a multivalue field.

Find below the skeleton of the usage of the function “split” with EVAL :

….. | eval NEW_FIELD=split(X,“Y” )

Example:

index=_internal
| table source
| dedup source
| eval DIR_NAME=split(source,“/” )

 

Result:

split

split2

Explanation:

In the above query source is an existing field name in _internal index. We have taken source field by table command and by the dedup command we have removed duplicate values. Here you can see “/” sign in all values of source field. So we are taking “/” sign as a  delimiter for performing the query. At last by split function with eval command we have split source field values on the basis of delimiter ( “/”) and store the values in a multi-value field called DIR_NAME.

 

Now you can effectively utilize “split” function with “eval” command to meet your requirement !!

 Hope you are now comfortable in : Usage of Splunk EVAL Function : SPLIT

 

HAPPY SPLUNKING !!         

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.