Splunk Search

Grouping by name

xvxt006
Contributor

Hi,
In my search results i have numbers like this and i would like to group them by group1 and group2.
Where group1 =263806,263807,263808,263809,263810,263811
and rest numbers should be group2

So i have used the below expression, i see group1 but group2 is not working properly

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g" | rex mode=sed field=x "s/([^(26380[6-9]]$|[^26381[0-1]]$)/group2/g" | stats count by x

183512

217654

217655

217656

217657

224808

263806

263807

263808

263809

263810

263811

279992

279996
314724

Tags (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

You'll need to specify the boundary of your numeric string. Assuming the strategy is right aggressive, you answer should look like this:

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g"
| rex mode=sed field=x "s/\d+/group2/g"
| stats count by x

The errors in your second expression take some nuance to explain, but you do not need any complexity. If your expression for the first group is correct, just use the side effect of mode sed: the second expression will never see numbers in the first group.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval x="183512 217654 217655 217656 217657 224808 263806 263807 263808 263809 263810 263811 279992 279996 314724" 
| makemv x 
| mvexpand x 

| rename COMMENT AS "Everything above creates test event data; everything below is your solution"

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g s/^\d+$/group2/g" 
| stats count by x
0 Karma

yuanliu
SplunkTrust
SplunkTrust

You'll need to specify the boundary of your numeric string. Assuming the strategy is right aggressive, you answer should look like this:

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g"
| rex mode=sed field=x "s/\d+/group2/g"
| stats count by x

The errors in your second expression take some nuance to explain, but you do not need any complexity. If your expression for the first group is correct, just use the side effect of mode sed: the second expression will never see numbers in the first group.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...