topic Re: I created a field that has 3 values. How can I change one of the values from WARNING to WARN using lookups? in Getting Data In

I created a field that has 3 values. How can I change one of the values from WARNING to WARN using lookups?

krishnani — Thu, 11 Aug 2016 20:21:54 GMT

I created a field and it has 3 values. I just want change one of the values from WARNING to WARN using lookups(.CSV). I also want to know how to configure it in props.conf.

Re: I created a field that has 3 values. How can I change one of the values from WARNING to WARN using lookups?

somesoni2 — Thu, 11 Aug 2016 21:18:37 GMT

You want to change the value of an extracted field? Why you want to use lookup if you know which value to be replaced with which? You can achieve that using a simple eval/replace command. Further, same can be saved in props.conf on SH to make it happen automatically for your data.

Re: I created a field that has 3 values. How can I change one of the values from WARNING to WARN using lookups?

sundareshr — Thu, 11 Aug 2016 22:09:54 GMT

If you want to make the change before indexing, you could try sed to replace text. Something like this in your props should work

SEDCMD-warn = s/(WARNING)/WARN/g

PS: This will only affect new data coming in.

Re: I created a field that has 3 values. How can I change one of the values from WARNING to WARN using lookups?

gcusello — Fri, 12 Aug 2016 06:48:23 GMT

You can also modify it in your searches at search_time:
| eval yourfield=if(yourfield="WARNING","WARN",yourfield)
in this way tou maintain logs as originals and show them as you want
Bye.
Giuseppe

Re: I created a field that has 3 values. How can I change one of the values from WARNING to WARN using lookups?

krishnani — Fri, 12 Aug 2016 16:35:13 GMT

I updated the my extracted field and values in props.conf like this

- EXTRACT-logvalue=^=(?(INFO|ERROR|WARN))
- it's working fine now but in the above config I hardcoded my values but I want to hardcode only WARN as in future we're expecting more values will come under same sourcetype. if a new value come in to the same sourcetype I need to hard code every value in props.conf.

So I would like to update my regex will update only from "WARNING" to "WARN" and rest other values (INFO,ERROR etc) need to add automatically to "logvalue" field without hardcoding.

Any suggestions on regex?

Re: I created a field that has 3 values. How can I change one of the values from WARNING to WARN using lookups?

krishnani — Fri, 12 Aug 2016 16:43:51 GMT

sorry there is typo in config. here is the correct one

EXTRACT-logvalue=^=(?logvalue(INFO|ERROR|WARN))

Re: I created a field that has 3 values. How can I change one of the values from WARNING to WARN using lookups?

somesoni2 — Fri, 12 Aug 2016 17:02:43 GMT

Try this as your props.conf entry for field extraction

[yoursourcetype]
EXTRACT-logvalue=^=(?<logLevel>(WARN|\w+))

Working example (run anywhere search) to validate regex

| gentimes start=-1 | eval temp="=WARNING =ERROR =INFO =FATAL =SOMETHINGELSE" | table temp | makemv temp | mvexpand temp | rename temp as _raw | rex "^=(?<logLevel>(WARN|\w+))"