topic Re: How do you use regex on 2 fields and combine them into one field for an xyseries? in Splunk Search

How do you use regex on 2 fields and combine them into one field for an xyseries?

krusovice — Wed, 05 Dec 2018 02:45:36 GMT

Hi all,

I have a simple regex to extract 2 fields — name1 and name2. And I would need to combine it like this: name1.name2 and send it to xyseries as one name. I can't make it work with the below query.

| rex "line1\=(?<name1>[\w+]+)" 
| rex "line2\=(?<name2>[\w+]+)"
| eval fullname=name1.name2
| xyseries fullname date_hour count

Could someone please help me? Thank you in advance.

Re: How do you use regex on 2 fields and combine them into one field for an xyseries?

prakash007 — Wed, 05 Dec 2018 03:36:25 GMT

How about this..

| rex "line1\=(?<name1>[\w+]+)" 
| rex "line2\=(?<name2>[\w+]+)"
| eval fullname=name1." ".name2
| xyseries fullname date_hour count

Re: How do you use regex on 2 fields and combine them into one field for an xyseries?

krusovice — Wed, 05 Dec 2018 06:42:37 GMT

Hi @prakash007,

Thanks for reply, it is not working.

Re: How do you use regex on 2 fields and combine them into one field for an xyseries?

kamlesh_vaghela — Wed, 05 Dec 2018 07:18:06 GMT

@krusovice

Can you please share you sample events?

Re: How do you use regex on 2 fields and combine them into one field for an xyseries?

krusovice — Wed, 05 Dec 2018 07:34:25 GMT

raw data like this:

line1=aaa
line2=yyy

Expected fullname should be aaa.yyy in x-axis of the table.

Re: How do you use regex on 2 fields and combine them into one field for an xyseries?

bjoernjensen — Wed, 05 Dec 2018 07:49:59 GMT

Hey,

most probably you have some NULL values. Use fillnull with an appropriate value (could also be NULL not an empty string as below):

| rex "line1\=(?<name1>[\w+]+)" 
| rex "line2\=(?<name2>[\w+]+)"
| fillnull name1 value=""
| fillnull name2 value=""
| eval fullname=name1.".".name2
| xyseries fullname date_hour count

Additionally this will actually add a dot . between name1 and name2

If that is not working... please provide the result without the last xyseries ...

Hope that helps,
Björn

Re: How do you use regex on 2 fields and combine them into one field for an xyseries?

kamlesh_vaghela — Wed, 05 Dec 2018 09:04:49 GMT

@krusovice

As per you given event, name1 and name2 are in separate event. So you have to make it in single event by aggregating. like using stats values

| stats values(name1) as name1 values(name2) as name2 by date_hour

here if you have any unique id for both events then you have to use it in by clause.

| stats values(name1) as name1 values(name2) as name2 by <<UNIQUE_ID>>

For reference see below search.

| makeresults 
| eval _raw="line1=aaa" 
| append 
    [| makeresults 
    | eval _raw="line2=yyy"] | eval ID=10 | eval date_hour=10
| rex "line1=(?<name1>[\w+]+)" 
| rex "line2=(?<name2>[\w+]+)"  
| stats values(name1) as name1 values(name2) as name2 count by ID date_hour
| eval fullname=name1.".".name2
| xyseries fullname date_hour count

Thanks

Re: How do you use regex on 2 fields and combine them into one field for an xyseries?

martin_mueller — Tue, 29 Sep 2020 22:21:51 GMT

Is there a reason for using xyseries with date_hour instead of timechart span=1h?
The date_foo fields are often trouble.

Re: How do you use regex on 2 fields and combine them into one field for an xyseries?

krusovice — Fri, 14 Dec 2018 03:53:32 GMT

Thank you, you have given some clue how to fix my SPL. Thank you.