eg: list = { abc::12345, xyz::345} . requirement is I have to get {abc, xyz} as query result.
needs stats count of the values in the list after removing the part after delimiter ::
Asked
Active
Viewed 342 times
1 Answers
0
There's probably more than one way to do it (as is common with Splunk), but I like rex. Here's a run-anywhere example query that shows how.
| makeresults
| eval list = "{ abc::12345, xyz::345}"
``` The above creates demo data. Remove IRL ```
``` Use a regular expression to extract keywords from before "::" into field 'f' ```
| rex field=list max_match=0 "[\s\{,](?<f>[^:]+)"
``` Count the number of (non-unique) values in f ```
| eval count=mvcount(f)
RichG
- 9,063
- 2
- 18
- 29