topic Re: Can we categorize the into fields based on the value of the field? in Splunk Search

Can we categorize the into fields based on the value of the field?

vrmandadi — Tue, 29 Sep 2020 16:48:27 GMT

Hello,

I have the below field with values

Source

abc_hd
xyz_hd
ppp
sqr_sd
aaa_sd

I want to create a new field called version with values as SD and HD,all the values with the _HD are HD and the other is counted as SD LIKE BELOW

Version
SD-3
hd-2

Re: Can we categorize the into fields based on the value of the field?

somesoni2 — Wed, 15 Nov 2017 16:59:39 GMT

You can try like this (function coalesce is setting sd as default value of no version if found on Source)

your search with field Source
| eval Version=coalesce(mvindex(split(Source,"_"),-1),"sd")
| stats count by Version

Re: Can we categorize the into fields based on the value of the field?

gcusello — Wed, 15 Nov 2017 16:59:53 GMT

Hi vrmandadi
try something like this

your_search
| rex field=source "(?<HD>hd|HD)$"
| eval Version=if(HD=*,"HD","SD")
| stats count BY Version

Bye.
Giuseppe

Re: Can we categorize the into fields based on the value of the field?

elliotproebstel — Wed, 15 Nov 2017 17:07:33 GMT

For this, I'd use a case statement and evaluate the field value with like to find the matching values and then use eventstats to count the matches before appending the type and count to create the desired Version field:

[ base search ] | eval type=case(like(Source, "%_hd"), "HD", like(Source, "%_sd"), "SD") | eventstats count BY type | eval Version=type."-".count | fields - type count

Re: Can we categorize the into fields based on the value of the field?

vrmandadi — Wed, 15 Nov 2017 17:14:15 GMT

Hi cudello,
I am getting the below error

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*,"HD","SD")'.

Re: Can we categorize the into fields based on the value of the field?

vrmandadi — Wed, 15 Nov 2017 17:14:46 GMT

Hi somesoni2 it only extracted HD

Re: Can we categorize the into fields based on the value of the field?

vrmandadi — Wed, 15 Nov 2017 17:18:56 GMT

hello elliotproebstel,

the SD ones some have _SD and some dont ,I tried your query but this not show any results

Re: Can we categorize the into fields based on the value of the field?

somesoni2 — Wed, 15 Nov 2017 17:20:25 GMT

Can you post some sample (if possible real value with sensitive data replaced with dummy char, try to keep the punctuations) where it failed to extract? It assumes that last segment after underscore is version in the values of field Source.

Re: Can we categorize the into fields based on the value of the field?

somesoni2 — Wed, 15 Nov 2017 17:25:14 GMT

Also give this a try

your search with field Source
 | eval Version=if(match(Source,"_hd"),"HD","SD")
 | stats count by Version

Re: Can we categorize the into fields based on the value of the field?

vrmandadi — Wed, 15 Nov 2017 17:38:58 GMT

This one worked ,I was using this one but I was using wildcharater * which was throwing me an error

Thanks a lot

Re: Can we categorize the into fields based on the value of the field?

elliotproebstel — Wed, 15 Nov 2017 19:12:46 GMT

Ah, yes, I missed that nuance. Sorry! Try this:

 [ base search ] | eval type=if(like(Source, "%_hd"), "HD", "SD") | eventstats count BY type | eval Version=type."-".count | fields - type count

That should assign HD as the type for events containing _hd and assign SD as the type for all others.

Re: Can we categorize the into fields based on the value of the field?

vrmandadi — Wed, 15 Nov 2017 21:29:37 GMT

Thank you ,I tried this | eval Version=if(match(Source,"_hd"),"HD","SD")
| stats count by Version

I was actually using wild character and it was throwing error

Re: Can we categorize the into fields based on the value of the field?

gcusello — Thu, 16 Nov 2017 10:29:53 GMT

try

your_search
 | rex field=source "(?<HD>hd|HD)$"
 | eval Version=if(HD="*","HD","SD")
 | stats count BY Version

Bye.
Giuseppe