Archive
Highlighted

Grouping by name

Contributor

Hi,
In my search results i have numbers like this and i would like to group them by group1 and group2.
Where group1 =263806,263807,263808,263809,263810,263811
and rest numbers should be group2

So i have used the below expression, i see group1 but group2 is not working properly

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g" | rex mode=sed field=x "s/([^(26380[6-9]]$|[^26381[0-1]]$)/group2/g" | stats count by x

183512

217654

217655

217656

217657

224808

263806

263807

263808

263809

263810

263811

279992

279996
314724

Tags (1)
0 Karma
Highlighted

Re: Grouping by name

Builder

You'll need to specify the boundary of your numeric string. Assuming the strategy is right aggressive, you answer should look like this:

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g"
| rex mode=sed field=x "s/\d+/group2/g"
| stats count by x

The errors in your second expression take some nuance to explain, but you do not need any complexity. If your expression for the first group is correct, just use the side effect of mode sed: the second expression will never see numbers in the first group.

View solution in original post

0 Karma
Highlighted

Re: Grouping by name

Esteemed Legend

Like this:

| makeresults 
| eval x="183512 217654 217655 217656 217657 224808 263806 263807 263808 263809 263810 263811 279992 279996 314724" 
| makemv x 
| mvexpand x 

| rename COMMENT AS "Everything above creates test event data; everything below is your solution"

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])$/group1/g s/^\d+$/group2/g" 
| stats count by x
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.