topic Re: How to replace an alphanumeric string in a field? in Splunk Search

How to replace an alphanumeric string in a field?

saibalabadra — Fri, 01 Jun 2018 23:10:15 GMT

I have query to count the URIs but in some places there are dynamic values so I am trying to replace dynamic values with a character like '*' so that same URI pattern will be considered as one value and list the total count irrespective of dynamic value. I tried below query but it is replacing only numbers.

Ex:

Query: ....|stats count by URI

Actual Result:

URI Count
abc/xyz/1000/uvw 1
abc/xyz/2000/uvw 1
abc/xyz/3000/uvw 1
abc/xyz/def/uvw/1234/a1b2c3d4/rst 1
abc/xyz/def/uvw/5678/e5f6g7h8/rst 1

Expected Result:

URI Count
abc/xyz/*/uvw 3
abc/xyz/def/uvw/*/*/rst 2

Re: How to replace an alphanumeric string in a field?

FrankVl — Sat, 02 Jun 2018 01:21:57 GMT

Are those the only 2 specific patterns you need to handle, or are there more variations?

Re: How to replace an alphanumeric string in a field?

saibalabadra — Tue, 29 Sep 2020 19:48:50 GMT

There are more variations but they are similar except that the position of dynamic values would very. I tried below rex command but it is replacing numbers only, if I update expression to consider alphanumeric then it is replacing all characters in the field and returning just slashes and asterisks.

|rex field=URI mode=sed "/s[0-9\s\t\n\v]+ | {2,} /* /g"
|stats count by URI

Result:

URI Count
abc/xyz//uvw 3
abc/xyz/def/uvw//a*b*c*d*/rst 1
abc/xyz/def/uvw//e*f*g*h/rst 1

|rex field=URI mode=sed "/s[a-zA-Z0-9\s\t\n\v]+ | {2,} /* /g"
|stats count by URI

URI Count
/// 3
//////* 2

Re: How to replace an alphanumeric string in a field?

niketn — Sat, 02 Jun 2018 11:13:29 GMT

@saibalabadra, please try to pipe the following eval and stats to your existing search:

<yourCurrentSearch>
    | eval url_pattern=case(match(url,"abc\/xyz\/def\/uvw\/.*\/.*\/rst"),"abc/xyz/def/uvw/*/*/rst",match(url,"abc\/xyz\/.*\/uvw"),"abc/xyz/*/uvw")
    | stats sum(count) as Count by url_pattern

Following is a run anywhere search based on sample data provided in the question

| makeresults
| eval data="abc/xyz/1000/uvw 1;abc/xyz/2000/uvw 1;abc/xyz/3000/uvw 1;abc/xyz/def/uvw/1234/a1b2c3d4/rst 1;abc/xyz/def/uvw/5678/e5f6g7h8/rst 1"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" "
| eval url=mvindex(data,0), count=mvindex(data,1)
| fields - _time data
| eval url_pattern=case(match(url,"abc\/xyz\/def\/uvw\/.*\/.*\/rst"),"abc/xyz/def/uvw/*/*/rst",match(url,"abc\/xyz\/.*\/uvw"),"abc/xyz/*/uvw")
| stats sum(count) as Count by url_pattern