topic Re: Can you help me create a separate field called "customer" that contains the following values? in Splunk Search

Can you help me create a separate field called "customer" that contains the following values?

Mohsin123 — Wed, 12 Sep 2018 10:51:53 GMT

I was trying to group by together the field values .

Example: i have a field called "url" that has such sort of data :

/customer/a1
/customer/b1

Can you please help me figure out whether I can create a separate field called "customer" that contains the values :

/customer/a1   and   /customer/a2

purpose is: i am getting >100k results for the timechart for a 24 hours frame .

And hence, data loading doesn't happen

Can you please help ?

Re: Can you help me create a separate field called "customer" that contains the following values?

harsmarvania57 — Wed, 12 Sep 2018 11:11:23 GMT

Hi @Mohsin123,

Can you please try this query?

< your base search> | stats values(eval(if(url="/customer/a1" AND url="/customer/b1",user,null()))) AS customer

Re: Can you help me create a separate field called "customer" that contains the following values?

Mohsin123 — Wed, 12 Sep 2018 11:22:42 GMT

Thank you so much ,
but could you please tell me if i want to add like for the url values , then????
because i have >10000 url values in the url field

Re: Can you help me create a separate field called "customer" that contains the following values?

Mohsin123 — Wed, 12 Sep 2018 11:28:45 GMT

i used like this , but its not working

| stats values(eval(if(like(url,"%oauth%")))) AS OAUTH

Re: Can you help me create a separate field called "customer" that contains the following values?

harsmarvania57 — Wed, 12 Sep 2018 11:34:01 GMT

It should be like this

| stats values(eval(if(like(url,"%oauth%"),user,null()))) AS OAUTH

Re: Can you help me create a separate field called "customer" that contains the following values?

Mohsin123 — Wed, 12 Sep 2018 12:29:17 GMT

@harsmarvania57

This still doenst work
| stats values(eval(if(like(url,"%oauth%"),user,null()))) AS OAUTH values(eval(if(like(url,"%well-known%"),user,null()))) AS WELL-KNOWN , values(eval(if(like(url,"%customer%"),user,null()))) AS CUSTOMER , values(eval(if(like(url,"%admin%"),user,null()))) AS ADMIN

Re: Can you help me create a separate field called "customer" that contains the following values?

harsmarvania57 — Wed, 12 Sep 2018 13:20:39 GMT

Can you please provide some sample data (Mask sensitive data) ? In your environment url & user fields are extracting automatically ? Also please provide your full splunk query.

I have tested similar query on Windows event logs and it is working fine.

index=wineventlog | stats values(eval(if(like(EventCode, "462%"),host,null()))) as macth_host by EventCode

Re: Can you help me create a separate field called "customer" that contains the following values?

Mohsin123 — Tue, 29 Sep 2020 21:15:12 GMT

@harsmarvania57

Hi Harsh ,
Could you please tell me if i could timechart after a stats group by .
below is my query :

index=idxd sourcetype IN ("prhe_access", "prod") | rex field=_raw "\"GET\ (?[^\"\?]+).*\ HTTP"

| stats values(eval(if(like(url,"%oauth%"),url,null()))) AS OAUTH values(eval(if(like(url,"%well-known%"),url,null()))) AS WELL-KNOWN , values(eval(if(like(url,"%customer%"),url,null()))) AS CUSTOMER , values(eval(if(like(url,"%admin%"),url,null()))) AS ADMIN

Re: Can you help me create a separate field called "customer" that contains the following values?

harsmarvania57 — Fri, 14 Sep 2018 10:27:51 GMT

For timechart you should have count or average (Or some digit values) to create chart over time range, in your query you are just fetching URL values and you can't create timechart on those values.