topic How to create a new key-value pair from various fieldnames with a similar pattern? in Splunk Search

How to create a new key-value pair from various fieldnames with a similar pattern?

HeinzWaescher — Tue, 29 Sep 2020 12:47:47 GMT

Hi,

my events can include a fieldname with a pattern like:

product_type_a
product_type_b
product_type_c

To group calculations by product type, I think about creating a new key-value pair like
type=product_type_A. I could use a CASE command, but then I need to know all product_type_* that will appear in the future.
Is there a way to use something like COALESCE in combination with a wildcard or LIKE, to grab the first appearing fieldname as value?

Thanks in advance
Heinz

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

gcusello — Tue, 07 Feb 2017 10:52:24 GMT

Hi HeinzWaescher,
could you detail your question?
you can group events by type using stats command, but you already know!
if you want, you could also populate a lookup with a scheduled search and list all the type values to use in your statistic searches.
Bye.
Giuseppe

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

adayton20 — Tue, 07 Feb 2017 12:28:37 GMT

I'm not sure if I understand completely what your request is. Are you saying Splunk is extracting different product names from your events as their own individual fields? Could you provide a few samples of your events, and a screen shot? I may be able to help, but I'd need to see the data first.

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

woodcock — Tue, 07 Feb 2017 22:03:34 GMT

Like this:

| rex max_match=1 "(?<type>product_type_\w+)"

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

HeinzWaescher — Tue, 29 Sep 2020 12:45:21 GMT

I would like to extract a new key value pair from fieldnames that can appear in the events.
Let's say we have 3 events, with these fieldnames and amounts.

event1: product_type_a=5
event2: product_type_b=8
event:3 product_type_c=10

What I want to do here, is to transform fieldnames with the pattern product_type_* into values for the new field "type". So in the end, I have a new field per event

event1: type=product_type_a
event2: type=product_type_b
event3: type=product_type_c

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

HeinzWaescher — Wed, 08 Feb 2017 10:09:16 GMT

I tried that out but the search shows an error:

Error in 'SearchOperator:regex': Usage: regex (=|!=)

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

gvmorley — Wed, 08 Feb 2017 10:32:11 GMT

Hi,

Sounds like your just looking to use the rex command. So either of these depending on what format you want:

| rex "product_type_(?<type>[^\s]+)"

| rex "(?<type2>product_type_[^\s]+)"

Which would look like this:

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

woodcock — Wed, 08 Feb 2017 17:58:52 GMT

I had a typo! I meant rex, not regex! Try the fixed answer now!