Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Levenshtein Command: How can you add a field to th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following Search
`enter code here`sourcetype="cisco-esa"
| rex field=mailfrom ".+@(?<domain>.+\..+)"
| stats count by domain
| eval list="mozilla" | `ut_parse_extended(url, list)`
| stats sum(count) as count by domain
| where domain!="gmeil.com"
| eval company_domain="gmeil.com"
| `ut_levenshtein(domain, company_domain)`
| eval ut_levenshtein= min(ut_levenshtein)
| where ut_levenshtein < 3
It outputs a table that has the following fields:
domain count company_domain ut_levenshtein.
I want to add another field into the table. Specifically "MID" Is there a way to add another field to be displayed in the output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jared,
Good question, if you wish to keep the MID you have to include it in your stats commands since it is a transforming command.
See here : http://docs.splunk.com/Splexicon:Transformingcommand
In your case the query should look like this :
`enter code here`sourcetype="cisco-esa"
| rex field=mailfrom ".+@(?<domain>.+\..+)"
| stats count, values(MID) as MID by domain
| eval list="mozilla" | `ut_parse_extended(url, list)`
| stats sum(count) as count by domain,MID
| where domain!="gmeil.com"
| eval company_domain="gmeil.com"
| `ut_levenshtein(domain, company_domain)`
| eval ut_levenshtein= min(ut_levenshtein)
| where ut_levenshtein < 3
Let me know how that works out for you.
Regards.
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jared,
Good question, if you wish to keep the MID you have to include it in your stats commands since it is a transforming command.
See here : http://docs.splunk.com/Splexicon:Transformingcommand
In your case the query should look like this :
`enter code here`sourcetype="cisco-esa"
| rex field=mailfrom ".+@(?<domain>.+\..+)"
| stats count, values(MID) as MID by domain
| eval list="mozilla" | `ut_parse_extended(url, list)`
| stats sum(count) as count by domain,MID
| where domain!="gmeil.com"
| eval company_domain="gmeil.com"
| `ut_levenshtein(domain, company_domain)`
| eval ut_levenshtein= min(ut_levenshtein)
| where ut_levenshtein < 3
Let me know how that works out for you.
Regards.
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works other than the count doesn't seem to really make sense. The first row says 1 and the rest of them have the same value. I think the other value is the total number of results. I think I can figure out the rest from here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jared_anderson,
Try the query below:
`enter code here`sourcetype="cisco-esa"
| rex field=mailfrom ".+@(?<domain>.+\..+)"
| stats count by domain
| eval list="mozilla" | `ut_parse_extended(url, list)`
| stats sum(count) as count values(MID) AS MID by domain
| where domain!="gmeil.com"
| eval company_domain="gmeil.com"
| `ut_levenshtein(domain, company_domain)`
| eval ut_levenshtein= min(ut_levenshtein)
| where ut_levenshtein < 3
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
