Dashboards & Visualizations

How to change name of results dynamically

JoshuaJohn
Contributor

I have this search:

 index=nitro_iPad | rex "iPad-ip(?<storeNum>[^-]+)"  | rex "iOS(?<osversion>[^-]+)"  | table osversion storeNum | dedup storeNum

Here is an image of my results:
alt text

I want to alter my results so when it says ####j it would be ####_skate but for all of the letters present for example 1529k would turn into 1529_candy.

I figure a rename function would work but I tried to no avail I am guessing I just did it incorrectly.

Thank you!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=nitro_iPad | rex "iPad-ip(?<storeNum>[^-]+)"  | rex "iOS(?<osversion>[^-]+)"  | table osversion storeNum | eval storeNum=case(match(storeNum,"^\d+j$"),replace(storeNum,"^(\d+)j","\1_skate"),match(storeNum,"^\d+w+$"), replace(storeNum,"^(\d+)\w+$","\1_candy"),true(),storeNum) | dedup storeNum
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi JoshuaJohn,
try to add to your search something like this (I inserted in case function only two options, but you can insert other):

| eval storeNum=substr(storeNum,1,4)+case(substr(storeNum,5)="j","_skate",substr(storeNum,5)="k","_candy")

Bye.
Giuseppe

0 Karma

JoshuaJohn
Contributor

This works but it will completely ignore ones without a letter behind the name like 0126

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex field=storeNum mode=sed "s/\D+$/_candy/"
0 Karma

JoshuaJohn
Contributor

Also works but the problem I am having here is with situations like 1502aa which would be 1502_marshmallow but 1407a would be 1407_crush instead 1502 would show up like this 1502_marshmallow_crush.

0 Karma

woodcock
Esteemed Legend

Then you chain them up like this:

 ... | rex field=storeNum mode=sed "s/k$/_candy/ s/aa$/_marshmallow/ s/a$/_crush/"
0 Karma

JoshuaJohn
Contributor

I am getting a weird search is waiting for input when I start to chain

0 Karma

woodcock
Esteemed Legend

Make sure that you are doing the tokening correctly. Download this app and check out the examples:

https://splunkbase.splunk.com/app/1603/

Check out the code for "Token Customization" examples.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...