All Apps and Add-ons

Levenshtein Command: How can you add a field to the output?

jared_anderson
Path Finder

I have the following Search

`enter code here`sourcetype="cisco-esa" 
| rex field=mailfrom ".+@(?<domain>.+\..+)" 
| stats count by domain
| eval list="mozilla" | `ut_parse_extended(url, list)`
| stats sum(count) as count by domain
| where domain!="gmeil.com"
| eval company_domain="gmeil.com"
| `ut_levenshtein(domain, company_domain)`
| eval ut_levenshtein= min(ut_levenshtein)
| where ut_levenshtein < 3

It outputs a table that has the following fields:

domain count company_domain ut_levenshtein.

I want to add another field into the table. Specifically "MID" Is there a way to add another field to be displayed in the output?

0 Karma
1 Solution

DavidHourani
Super Champion

Hi Jared,

Good question, if you wish to keep the MID you have to include it in your stats commands since it is a transforming command.
See here : http://docs.splunk.com/Splexicon:Transformingcommand

In your case the query should look like this :

`enter code here`sourcetype="cisco-esa" 
 | rex field=mailfrom ".+@(?<domain>.+\..+)" 
 | stats count, values(MID) as MID by domain
 | eval list="mozilla" | `ut_parse_extended(url, list)`
 | stats sum(count) as count by domain,MID
 | where domain!="gmeil.com"
 | eval company_domain="gmeil.com"
 | `ut_levenshtein(domain, company_domain)`
 | eval ut_levenshtein= min(ut_levenshtein)
 | where ut_levenshtein < 3

Let me know how that works out for you.
Regards.
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi Jared,

Good question, if you wish to keep the MID you have to include it in your stats commands since it is a transforming command.
See here : http://docs.splunk.com/Splexicon:Transformingcommand

In your case the query should look like this :

`enter code here`sourcetype="cisco-esa" 
 | rex field=mailfrom ".+@(?<domain>.+\..+)" 
 | stats count, values(MID) as MID by domain
 | eval list="mozilla" | `ut_parse_extended(url, list)`
 | stats sum(count) as count by domain,MID
 | where domain!="gmeil.com"
 | eval company_domain="gmeil.com"
 | `ut_levenshtein(domain, company_domain)`
 | eval ut_levenshtein= min(ut_levenshtein)
 | where ut_levenshtein < 3

Let me know how that works out for you.
Regards.
David

0 Karma

jared_anderson
Path Finder

This works other than the count doesn't seem to really make sense. The first row says 1 and the rest of them have the same value. I think the other value is the total number of results. I think I can figure out the rest from here.

deepashri_123
Motivator

Hi jared_anderson,

Try the query below:

`enter code here`sourcetype="cisco-esa" 
 | rex field=mailfrom ".+@(?<domain>.+\..+)" 
 | stats count by domain
 | eval list="mozilla" | `ut_parse_extended(url, list)`
 | stats sum(count) as count  values(MID) AS MID by domain
 | where domain!="gmeil.com"
 | eval company_domain="gmeil.com"
 | `ut_levenshtein(domain, company_domain)`
 | eval ut_levenshtein= min(ut_levenshtein)
 | where ut_levenshtein < 3
0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...