Getting Data In

Split the name

dchalasani
Path Finder

Hi,

I have a values name like AV:EC2:ES:401 and AV:EC2 Now I want to show only EC2 how to show it.

Can anyone please correct this query

index=aws sourcetype=description |dedup signature_id |eval tmp=split(signature_id,"-") |eval services=mvindex(tmp,0)|stats count by services

Tags (2)
0 Karma
1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

You are splitting your field on the "-" delimiter instead of the ":". Also, in your mvindex, you want 1, not 0. The 0 would be the first value, or "AV" in your example.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

index=aws sourcetype=description
| dedup signature_id
| rex field=services mode=sed "s/^[^:]+:// s/:.*$//"
0 Karma

dchalasani
Path Finder

Thanks Woodcock..

I am using this one index=aws sourcetype=description | dedup signature_id
| eval tmp=split(signature_id,":")
|eval services=mvindex(tmp,1)
| eval tmp2 = split(services,"-")
| eval services = mvindex(tmp2,0) | stats count by services

Now I want to show the services in Row format how to convert this column to row... I tried to use xyseries but it is not working..

Can you please correct the above string with Row format

Thanks

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

You are splitting your field on the "-" delimiter instead of the ":". Also, in your mvindex, you want 1, not 0. The 0 would be the first value, or "AV" in your example.

0 Karma

DalJeanis
Legend

First, if you were using split, you need to get the delimiter right, and to select the second field, you would use offset 1.

index=aws sourcetype=description 
| dedup signature_id 
| eval tmp=split(signature_id,":") 
| eval services=mvindex(tmp,1)
| stats count by services

Second, you could use rex just as well

index=aws sourcetype=description 
| dedup signature_id 
| rex field=signature_id "^[^:]+:(?<services>[^:]+) 
| stats count by services
0 Karma

dchalasani
Path Finder

Thank You DalJeanis and Kmorris for you help

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Glad to help.

0 Karma

dchalasani
Path Finder

I am using this one index=aws sourcetype=description | dedup signature_id
| eval tmp=split(signature_id,":")
|eval services=mvindex(tmp,1)
| eval tmp2 = split(services,"-")
| eval services = mvindex(tmp2,0) | stats count by services

Now I want to show the services in Row format how to convert this column to row... I tried to use xyseries but it is not working..

Can you please correct the above string with Row format

Thanks

0 Karma

DalJeanis
Legend

@dchalasani - (1) please start a new question for a new subject. (2) you can only "accept" one answer, but if an answer or comment is helpful, you can upvote them instead. (3) to transpose this, you could use untable and some other commands, or you can do this after your stats count by services -

| eval {services} = count
| fields - services count
| stats values(*) as *

The above assumes that all values of "services" would be valid field names.

dchalasani
Path Finder

Thanks Dal!

dchalasani
Path Finder

Thanks Split is working..Can you do one correction It showing like EC2-007 and CLT-005. Now i want to remove that -007. want only EC2 or CLT to display

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

You could use the same method on that field:

[BASE SEARCH]
| eval tmp=split(signature_id,":")
|eval services=mvindex(tmp,1)
| eval tmp2 = split(services,"-")
| eval services_nonum = mvindex(tmp2,0)
0 Karma

dchalasani
Path Finder

Still It is showing CLT-002 CFM-002 EC2-004 EC2 CS EC2-011 Like this..

I want only services name like EC2,CLT,CFM...like that

0 Karma

dchalasani
Path Finder
services    count

1 ALB-001 1
2 CFM-001 1
3 CFM-002 1
4 CLT-002 1
5 CLT-003 1
6 CLT-004 1
7 CLT-005 1
8 CLT-006 1
9 CS 1
10 EC2 2
11 EC2-001 1
12 EC2-002 1
13 EC2-003 2
14 EC2-004

0 Karma

dchalasani
Path Finder

I tried to do like this..It is also not working

index=aws sourcetype=description | dedup signature_id
| eval tmp=split(signature_id,":")
|eval services=mvindex(tmp,1)
| eval tmp2 = split(services,"-")
| eval services_nonum = mvindex(tmp2,0) | eval tmp3=split(signature_id,"-") | eval services_nonum = mvindex(tmp3,0)| stats count by services

0 Karma

dchalasani
Path Finder

Now it is working Thank you very much I removed_nonum..

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Is your stats command counting by services? I had changed the name in my example to services_nonum. You could either use that or change that to services and leave the stats command line alone.

dchalasani
Path Finder

Other than split there is any other way to do it?

0 Karma

aakwah
Builder

Hello,

If signature_id has these values: AV:EC2:ES:401 and AV:EC2, then your query need to be edited like this:

index=aws sourcetype=description |dedup signature_id |eval tmp=split(signature_id,":") |eval services=mvindex(tmp,1)|stats count by services

you can use rex command as well

Regards

0 Karma

dchalasani
Path Finder

Thanks Split is working..Can you do one correction It showing like EC2-007 and CLT-005. Now i want to remove that -007 or -005. I want only EC2 or CLT to display

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...