Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Grouping by name

xvxt006
Contributor
‎06-10-2017 05:03 PM

Hi,
In my search results i have numbers like this and i would like to group them by group1 and group2.
Where group1 =263806,263807,263808,263809,263810,263811
and rest numbers should be group2

So i have used the below expression, i see group1 but group2 is not working properly

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g" | rex mode=sed field=x "s/([^(26380[6-9]]$|[^26381[0-1]]$)/group2/g" | stats count by x

183512

217654

217655

217656

217657

224808

263806

263807

263808

263809

263810

263811

279992

279996
314724

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎06-10-2017 05:36 PM

You'll need to specify the boundary of your numeric string. Assuming the strategy is right aggressive, you answer should look like this:

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g"
| rex mode=sed field=x "s/\d+/group2/g"
| stats count by x

The errors in your second expression take some nuance to explain, but you do not need any complexity. If your expression for the first group is correct, just use the side effect of mode sed: the second expression will never see numbers in the first group.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-11-2017 07:40 PM

Like this:

| makeresults 
| eval x="183512 217654 217655 217656 217657 224808 263806 263807 263808 263809 263810 263811 279992 279996 314724" 
| makemv x 
| mvexpand x 

| rename COMMENT AS "Everything above creates test event data; everything below is your solution"

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g s/^\d+$/group2/g" 
| stats count by x
0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎06-10-2017 05:36 PM

You'll need to specify the boundary of your numeric string. Assuming the strategy is right aggressive, you answer should look like this:

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g"
| rex mode=sed field=x "s/\d+/group2/g"
| stats count by x

The errors in your second expression take some nuance to explain, but you do not need any complexity. If your expression for the first group is correct, just use the side effect of mode sed: the second expression will never see numbers in the first group.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...