I have list of indexes which contain country name as
germany_Abc_def ,
germany_Local_Abc_def,
germany_Local_Int_Abc_def ,
Italy_Abc_def ,
Italy_Local_Abc_def ,
Italy_Local_Int_Abc_def
now I have one dashboard where I have a dropdown where I want the country name to be reflected as Italy_Local_Int.
I tried with the below.. it's giving only Germany, Italy instead of germany_Local_Int and germany_Local
eventcount summarize=false index="$country$_Abc_def"
| where count!=0
| eval idx=split(index,"_")
| eval country=mvindex(idx,0)
| dedup country
question from:
https://stackoverflow.com/questions/66051558/index-extraction-in-splunk 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
