topic Re: How to change the name of the source path that is being shown in the results? in Getting Data In

How to change the name of the source path that is being shown in the results?

diabinho — Fri, 08 Nov 2019 16:25:41 GMT

I have a search that gives me two groups separated by two different sources but I do not want to have the source path showing, I want to rename it, how can I do that?

For example, to show sourcegroup1 and sourcegroup2?

Thanks

Re: How to change the name of the source path that is being shown in the results?

starcher — Fri, 08 Nov 2019 16:58:21 GMT

example

| makeresults 
| eval source="source1/log.log" 
| rex field=source "^(?P<source_group>[^\/]+)" 
| fields - source

Re: How to change the name of the source path that is being shown in the results?

mayurr98 — Fri, 08 Nov 2019 17:05:55 GMT

Try this:

| makeresults 
| eval source="source1/log.log" 
| rex field=source mode=sed "s/^[a-zA-Z]+(\d+)\/.*/sourcegroup\1/g"

Re: How to change the name of the source path that is being shown in the results?

arjunpkishore5 — Sat, 09 Nov 2019 19:22:55 GMT

Multiple ways to approach this

If your list is small, you can use a simple case statement

| eval source=case(match(source, "source1"), "sourcegroup1", match(source, "source2"), "sourcegroup2")

If your list is larger, use a lookup file with the mappings

| lookup <lookupfile> <source-old> as source OUTPUT <source-new >as source

Need to extract part of your source as the new source? refer to the rex examples provided by @starcher and @mayurr98

Case - https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/ConditionalFunctions
Lookup - https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Lookup

Re: How to change the name of the source path that is being shown in the results?

diabinho — Sun, 10 Nov 2019 12:11:42 GMT

@arjunpkishore5 it almost did the trick, the first approach. But now it does show anything. I get the column "source" but nothing on each line (no sourcegroup1 or sourcegroup2).

Thanks

Re: How to change the name of the source path that is being shown in the results?

arjunpkishore5 — Sun, 10 Nov 2019 13:00:50 GMT

Is the value of source in mixed case? As in , has both upper and lower case characters?

Re: How to change the name of the source path that is being shown in the results?

diabinho — Sun, 10 Nov 2019 13:06:31 GMT

Yes they do, in both sources.

Re: How to change the name of the source path that is being shown in the results?

arjunpkishore5 — Sun, 10 Nov 2019 22:51:26 GMT

in that case, please change the case statement to the following.

| eval source=case(match(lower(source), "source1"), "sourcegroup1", match(lower(source), "source2"), "sourcegroup2")

match is case sensitive. so I'm force converting the value to lower case so that they match to the lowercase pattern

Re: How to change the name of the source path that is being shown in the results?

diabinho — Mon, 11 Nov 2019 07:58:07 GMT

Didnt work, keep getting them in blank.

Re: How to change the name of the source path that is being shown in the results?

woodcock — Sat, 16 Nov 2019 22:48:27 GMT

Like this:

... | rex field=source mode=sed "s/\/.*$//"

Re: How to change the name of the source path that is being shown in the results?

arjunpkishore5 — Mon, 25 Nov 2019 13:05:55 GMT

Hi, I was away for a few days. Is your issue resolved now ?