All Apps and Add-ons

Levenshtein Command: How can you add a field to the output?

jared_anderson
Path Finder

I have the following Search

`enter code here`sourcetype="cisco-esa" 
| rex field=mailfrom ".+@(?<domain>.+\..+)" 
| stats count by domain
| eval list="mozilla" | `ut_parse_extended(url, list)`
| stats sum(count) as count by domain
| where domain!="gmeil.com"
| eval company_domain="gmeil.com"
| `ut_levenshtein(domain, company_domain)`
| eval ut_levenshtein= min(ut_levenshtein)
| where ut_levenshtein < 3

It outputs a table that has the following fields:

domain count company_domain ut_levenshtein.

I want to add another field into the table. Specifically "MID" Is there a way to add another field to be displayed in the output?

0 Karma
1 Solution

DavidHourani
Super Champion

Hi Jared,

Good question, if you wish to keep the MID you have to include it in your stats commands since it is a transforming command.
See here : http://docs.splunk.com/Splexicon:Transformingcommand

In your case the query should look like this :

`enter code here`sourcetype="cisco-esa" 
 | rex field=mailfrom ".+@(?<domain>.+\..+)" 
 | stats count, values(MID) as MID by domain
 | eval list="mozilla" | `ut_parse_extended(url, list)`
 | stats sum(count) as count by domain,MID
 | where domain!="gmeil.com"
 | eval company_domain="gmeil.com"
 | `ut_levenshtein(domain, company_domain)`
 | eval ut_levenshtein= min(ut_levenshtein)
 | where ut_levenshtein < 3

Let me know how that works out for you.
Regards.
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi Jared,

Good question, if you wish to keep the MID you have to include it in your stats commands since it is a transforming command.
See here : http://docs.splunk.com/Splexicon:Transformingcommand

In your case the query should look like this :

`enter code here`sourcetype="cisco-esa" 
 | rex field=mailfrom ".+@(?<domain>.+\..+)" 
 | stats count, values(MID) as MID by domain
 | eval list="mozilla" | `ut_parse_extended(url, list)`
 | stats sum(count) as count by domain,MID
 | where domain!="gmeil.com"
 | eval company_domain="gmeil.com"
 | `ut_levenshtein(domain, company_domain)`
 | eval ut_levenshtein= min(ut_levenshtein)
 | where ut_levenshtein < 3

Let me know how that works out for you.
Regards.
David

0 Karma

jared_anderson
Path Finder

This works other than the count doesn't seem to really make sense. The first row says 1 and the rest of them have the same value. I think the other value is the total number of results. I think I can figure out the rest from here.

deepashri_123
Motivator

Hi jared_anderson,

Try the query below:

`enter code here`sourcetype="cisco-esa" 
 | rex field=mailfrom ".+@(?<domain>.+\..+)" 
 | stats count by domain
 | eval list="mozilla" | `ut_parse_extended(url, list)`
 | stats sum(count) as count  values(MID) AS MID by domain
 | where domain!="gmeil.com"
 | eval company_domain="gmeil.com"
 | `ut_levenshtein(domain, company_domain)`
 | eval ut_levenshtein= min(ut_levenshtein)
 | where ut_levenshtein < 3
0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...