I have this search:
index=nitro_iPad | rex "iPad-ip(?<storeNum>[^-]+)" | rex "iOS(?<osversion>[^-]+)" | table osversion storeNum | dedup storeNum
Here is an image of my results:
I want to alter my results so when it says ####j it would be ####_skate but for all of the letters present for example 1529k would turn into 1529_candy.
I figure a rename function would work but I tried to no avail I am guessing I just did it incorrectly.
Thank you!
Give this a try
index=nitro_iPad | rex "iPad-ip(?<storeNum>[^-]+)" | rex "iOS(?<osversion>[^-]+)" | table osversion storeNum | eval storeNum=case(match(storeNum,"^\d+j$"),replace(storeNum,"^(\d+)j","\1_skate"),match(storeNum,"^\d+w+$"), replace(storeNum,"^(\d+)\w+$","\1_candy"),true(),storeNum) | dedup storeNum
Hi JoshuaJohn,
try to add to your search something like this (I inserted in case function only two options, but you can insert other):
| eval storeNum=substr(storeNum,1,4)+case(substr(storeNum,5)="j","_skate",substr(storeNum,5)="k","_candy")
Bye.
Giuseppe
This works but it will completely ignore ones without a letter behind the name like 0126
Like this:
... | rex field=storeNum mode=sed "s/\D+$/_candy/"
Also works but the problem I am having here is with situations like 1502aa which would be 1502_marshmallow but 1407a would be 1407_crush instead 1502 would show up like this 1502_marshmallow_crush.
Then you chain them up like this:
... | rex field=storeNum mode=sed "s/k$/_candy/ s/aa$/_marshmallow/ s/a$/_crush/"
I am getting a weird search is waiting for input when I start to chain
Make sure that you are doing the tokening correctly. Download this app and check out the examples:
https://splunkbase.splunk.com/app/1603/
Check out the code for "Token Customization" examples.