topic Re: How can I add list of field values into an array in Splunk Search

How can I add list of field values into an array

power12 — Tue, 11 Jun 2024 00:25:22 GMT

I have a search that outputs the hostlist by test.

index=abc | stats count by host test | stats count as total_count values(host) as host_list by test which gives me list of hosts by test like below

test	host_list
new	abc0002 abc0003 abc0004 abc0005 abc0006 abc0007 abc0008 abc0009 abc0010 abc0011 abc0012 abc0013 abc0014 abc0015 abc0016 abc0017 abc0018 abc0019 abc0020 abc0022 abc0024 abc0025 abc0026 abc0027 abc0028 abc0029 abc0031

II would like to group the range of host like [abc0002-abc0020] [abc0022] [abc0024-abc0029] [abc0031] instead of the whole list by test like below image

test	host_list	host_array
new	abc0002 abc0003 abc0004 abc0005 abc0006 abc0007 abc0008 abc0009 abc0010 abc0011 abc0012 abc0013 abc0014 abc0015 abc0016 abc0017 abc0018 abc0019 abc0020 abc0022 abc0024 abc0025 abc0026 abc0027 abc0028 abc0029 abc0031	[abc0002-abc0020] [abc0022] [abc0024-abc0029] [abc0031]

Thank you in Advance Splunkers

Re: How can I add list of field values into an array

KendallW — Tue, 11 Jun 2024 00:56:54 GMT

Hi @power12 try something like this (assuming the host names all follow the same format)

index=abc
| rex field=host "(?<hostname>\w+)(?<hostnum>\d+)"
| eval hostnum=tonumber(hostnum)
| eval hostgroup=case(hostnum>=2 AND hostnum<=20, "group1", hostnum=22, "group2", hostnum>=24 AND hostnum<=29, "group3", hostnum=31, "group4")
| stats count by host test hostgroup
| stats count as total_count values(host) as host_list by test, hostgroup

Re: How can I add list of field values into an array

bowesmana — Tue, 11 Jun 2024 01:50:25 GMT

I see you asked this in Slack, but you can use foreach on your final data example, there could be a better way to work it out in the foreach. Not sure what you want to do about the host name prefix, but if it's fixed you can add it back

| makeresults format=csv data="host_list abc0002 abc0003 abc0004 abc0005 abc0006 abc0007 abc0008 abc0009 abc0010 abc0011 abc0012 abc0013 abc0014 abc0015 abc0016 abc0017 abc0018 abc0019 abc0020 abc0022 abc0024 abc0025 abc0026 abc0027 abc0028 abc0029 abc0031" | eval test="new" | stats values(host_list) as host_list by test ``` Above is creating your example data ``` ``` Get the numeric part ``` | rex field=host_list max_match=0 "(?<prefix>[^0-9]*)(?<id>\d+)" | eval c=0 | foreach id mode=multivalue [ eval n=<<ITEM>>, diff=n-prev, ss=case(isnull(ss), mvindex(prefix, c).<<ITEM>>, diff>1, mvappend(ss, mvindex(prefix, c).<<ITEM>>), true(), ss), ee=case(isnull(ss), null(), diff>1, mvappend(ee, r), true(), ee), r=mvindex(prefix, c).<<ITEM>>, prev=n, c=c+1 ] | eval ee=mvappend(ee, r) | eval ranges=mvzip(ss, ee, "-") | fields - diff id n prev r ss ee c

Re: How can I add list of field values into an array

bowesmana — Tue, 11 Jun 2024 23:53:05 GMT

Based on your Slack response, I think this is what you will want

...your search ... | rex field=host_list max_match=0 "(?<prefix>[^0-9]*)(?<id>\d+)" | eval prefix=mvdedup(prefix) | foreach id mode=multivalue [ eval n=<<ITEM>>, diff=n-prev, ss=case(isnull(ss), n, diff>1, mvappend(ss, n), true(), ss), ee=case(isnull(ss), null(), diff>1, if(r=mvindex(ss,-2), mvappend(ee, " "), mvappend(ee, r)), true(), ee), r=n, prev=n ] | eval ee=if(r=mvindex(ss,-1), mvappend(ee, " "), mvappend(ee, r)) | eval ranges=prefix."[".mvjoin(rtrim(mvzip(ss, ee, "-"), "- "), ",")."]" | fields - diff id n prev r ss ee