I have the following entry in several of my events:
puppy_name = "Scout Windixie Spot"
If it's not obvious already, this field, puppy_name, has 3 different values. It really should be:
puppy_names = ["Scout", "Windixie", "Spot"]
That said, I have a couple of questions:
*Note* if you can help me with question 2, then don't bother with 1
1) What spl query can I construct to count the number of unique strings in `puppy_name` and put the result in a new field called `puppy_name_count`?
I have already tried:
index="puppies" | eval puppy_name_count=mvcount(split(puppy_name, " "))
Assuming `split()` returns an array (although I can't say this for sure because I couldn't find any documentation on `split()`), I need something like:
index="puppies" | eval puppy_name_count=array_length(split(puppy_name, " "))
Does anyone know how I can achieve this?
2) Is there an spl query or splunk configuration I can write to automatically split in the different puppy names in puppy_name into something like: `puppys_name=["Scout", "Windixie", "Spot"]`?
↧