topic Re: Split the name in Getting Data In

Split the name

dchalasani — Tue, 29 Sep 2020 14:06:16 GMT

Hi,

I have a values name like AV:EC2:ES:401 and AV:EC2 Now I want to show only EC2 how to show it.

Can anyone please correct this query

index=aws sourcetype=description |dedup signature_id |eval tmp=split(signature_id,"-") |eval services=mvindex(tmp,0)|stats count by services

Re: Split the name

dchalasani — Wed, 17 May 2017 13:51:28 GMT

Other than split there is any other way to do it?

Re: Split the name

DalJeanis — Wed, 17 May 2017 14:13:19 GMT

First, if you were using split, you need to get the delimiter right, and to select the second field, you would use offset 1.

index=aws sourcetype=description 
| dedup signature_id 
| eval tmp=split(signature_id,":") 
| eval services=mvindex(tmp,1)
| stats count by services

Second, you could use rex just as well

index=aws sourcetype=description 
| dedup signature_id 
| rex field=signature_id "^[^:]+:(?<services>[^:]+) 
| stats count by services

Re: Split the name

kmorris_splunk — Wed, 17 May 2017 14:13:24 GMT

You are splitting your field on the "-" delimiter instead of the ":". Also, in your mvindex, you want 1, not 0. The 0 would be the first value, or "AV" in your example.

Re: Split the name

aakwah — Tue, 29 Sep 2020 14:06:19 GMT

Hello,

If signature_id has these values: AV:EC2:ES:401 and AV:EC2, then your query need to be edited like this:

index=aws sourcetype=description |dedup signature_id |eval tmp=split(signature_id,":") |eval services=mvindex(tmp,1)|stats count by services

you can use rex command as well

Regards

Re: Split the name

dchalasani — Wed, 17 May 2017 14:43:46 GMT

Thanks Split is working..Can you do one correction It showing like EC2-007 and CLT-005. Now i want to remove that -007. want only EC2 or CLT to display

Re: Split the name

dchalasani — Wed, 17 May 2017 14:45:36 GMT

Thanks Split is working..Can you do one correction It showing like EC2-007 and CLT-005. Now i want to remove that -007 or -005. I want only EC2 or CLT to display

Re: Split the name

kmorris_splunk — Wed, 17 May 2017 14:51:28 GMT

You could use the same method on that field:

[BASE SEARCH]
| eval tmp=split(signature_id,":")
|eval services=mvindex(tmp,1)
| eval tmp2 = split(services,"-")
| eval services_nonum = mvindex(tmp2,0)

Re: Split the name

dchalasani — Wed, 17 May 2017 14:54:22 GMT

Still It is showing CLT-002 CFM-002 EC2-004 EC2 CS EC2-011 Like this..

I want only services name like EC2,CLT,CFM...like that

Re: Split the name

dchalasani — Wed, 17 May 2017 14:55:42 GMT

services    count

1 ALB-001 1
2 CFM-001 1
3 CFM-002 1
4 CLT-002 1
5 CLT-003 1
6 CLT-004 1
7 CLT-005 1
8 CLT-006 1
9 CS 1
10 EC2 2
11 EC2-001 1
12 EC2-002 1
13 EC2-003 2
14 EC2-004

Re: Split the name

kmorris_splunk — Wed, 17 May 2017 14:59:07 GMT

Is your stats command counting by services? I had changed the name in my example to services_nonum. You could either use that or change that to services and leave the stats command line alone.

Re: Split the name

dchalasani — Tue, 29 Sep 2020 14:06:22 GMT

I tried to do like this..It is also not working

Re: Split the name

dchalasani — Wed, 17 May 2017 15:07:04 GMT

Now it is working Thank you very much I removed_nonum..

Re: Split the name

dchalasani — Wed, 17 May 2017 15:07:56 GMT

Thank You DalJeanis and Kmorris for you help

Re: Split the name

kmorris_splunk — Wed, 17 May 2017 15:13:30 GMT

Glad to help.

Re: Split the name

woodcock — Wed, 17 May 2017 15:18:54 GMT

Like this:

index=aws sourcetype=description
| dedup signature_id
| rex field=services mode=sed "s/^[^:]+:// s/:.*$//"

Re: Split the name

dchalasani — Tue, 29 Sep 2020 14:06:28 GMT

Thanks Woodcock..

Now I want to show the services in Row format how to convert this column to row... I tried to use xyseries but it is not working..

Can you please correct the above string with Row format

Thanks

Re: Split the name

dchalasani — Tue, 29 Sep 2020 14:06:30 GMT

Now I want to show the services in Row format how to convert this column to row... I tried to use xyseries but it is not working..

Can you please correct the above string with Row format

Thanks

Re: Split the name

DalJeanis — Wed, 17 May 2017 15:56:46 GMT

@dchalasani - (1) please start a new question for a new subject. (2) you can only "accept" one answer, but if an answer or comment is helpful, you can upvote them instead. (3) to transpose this, you could use untable and some other commands, or you can do this after your stats count by services -

| eval {services} = count
| fields - services count
| stats values(*) as *

The above assumes that all values of "services" would be valid field names.

Re: Split the name

dchalasani — Wed, 17 May 2017 16:22:45 GMT

Thanks Dal!