I have a Splunk search outputs result as follows.
Details | link |
Product Details : Product 1:- ABC123 Product 2:- DEF456 | abcd_website |
Now how do I combine both the fields into 1 as follows
Details | link |
Product Details : Product 1:- ABC123 link:- abcd_website Product 2:- DEF456 | abcd_website |
The below eval condition giving me the result as follows
| eval Details = Details + link
Details | link |
Product Details : Product 1:- ABC123 Product 2:- DEF456 link:- abcd_website | abcd_website |
I do not want to add that link at the end. but wanted that somewhere in the middle after a specific field. Also, I do not want to touch or edit the Details field although thats an easy way but it comes from a macro and which used by many searches. I am looking for an alternate way, so that I can update the Details for a specific search?
Hi @pavanae,
Maybe the following will work for you. It uses rex/sed to locate the placement location, and inserts a placeholder (#LINK#, but you can replace this with what you deem "safe" in this context). After that an eval command replaces that placeholder with the needed value:
| rex field=Details mode=sed "s/(Product\s1:-\s[^\n]+)(\n)/\1\n#LINK#\n/"
| eval Details=replace(Details, "#LINK#", link)
I'm not sure if you can do this in an single rex line (maybe something like $link or ${link}), I can't find anything about it in the documentation.