- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Split the name
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a values name like AV:EC2:ES:401 and AV:EC2 Now I want to show only EC2 how to show it.
Can anyone please correct this query
index=aws sourcetype=description |dedup signature_id |eval tmp=split(signature_id,"-") |eval services=mvindex(tmp,0)|stats count by services
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are splitting your field on the "-" delimiter instead of the ":". Also, in your mvindex, you want 1, not 0. The 0 would be the first value, or "AV" in your example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=aws sourcetype=description
| dedup signature_id
| rex field=services mode=sed "s/^[^:]+:// s/:.*$//"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Woodcock..
I am using this one index=aws sourcetype=description | dedup signature_id
| eval tmp=split(signature_id,":")
|eval services=mvindex(tmp,1)
| eval tmp2 = split(services,"-")
| eval services = mvindex(tmp2,0) | stats count by services
Now I want to show the services in Row format how to convert this column to row... I tried to use xyseries but it is not working..
Can you please correct the above string with Row format
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are splitting your field on the "-" delimiter instead of the ":". Also, in your mvindex, you want 1, not 0. The 0 would be the first value, or "AV" in your example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, if you were using split, you need to get the delimiter right, and to select the second field, you would use offset 1.
index=aws sourcetype=description
| dedup signature_id
| eval tmp=split(signature_id,":")
| eval services=mvindex(tmp,1)
| stats count by services
Second, you could use rex just as well
index=aws sourcetype=description
| dedup signature_id
| rex field=signature_id "^[^:]+:(?<services>[^:]+)
| stats count by services
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You DalJeanis and Kmorris for you help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad to help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using this one index=aws sourcetype=description | dedup signature_id
| eval tmp=split(signature_id,":")
|eval services=mvindex(tmp,1)
| eval tmp2 = split(services,"-")
| eval services = mvindex(tmp2,0) | stats count by services
Now I want to show the services in Row format how to convert this column to row... I tried to use xyseries but it is not working..
Can you please correct the above string with Row format
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@dchalasani - (1) please start a new question for a new subject. (2) you can only "accept" one answer, but if an answer or comment is helpful, you can upvote them instead. (3) to transpose this, you could use untable and some other commands, or you can do this after your stats count by services -
| eval {services} = count
| fields - services count
| stats values(*) as *
The above assumes that all values of "services" would be valid field names.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Dal!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Split is working..Can you do one correction It showing like EC2-007 and CLT-005. Now i want to remove that -007. want only EC2 or CLT to display
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use the same method on that field:
[BASE SEARCH]
| eval tmp=split(signature_id,":")
|eval services=mvindex(tmp,1)
| eval tmp2 = split(services,"-")
| eval services_nonum = mvindex(tmp2,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still It is showing CLT-002 CFM-002 EC2-004 EC2 CS EC2-011 Like this..
I want only services name like EC2,CLT,CFM...like that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
services count
1 ALB-001 1
2 CFM-001 1
3 CFM-002 1
4 CLT-002 1
5 CLT-003 1
6 CLT-004 1
7 CLT-005 1
8 CLT-006 1
9 CS 1
10 EC2 2
11 EC2-001 1
12 EC2-002 1
13 EC2-003 2
14 EC2-004
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to do like this..It is also not working
index=aws sourcetype=description | dedup signature_id
| eval tmp=split(signature_id,":")
|eval services=mvindex(tmp,1)
| eval tmp2 = split(services,"-")
| eval services_nonum = mvindex(tmp2,0) | eval tmp3=split(signature_id,"-") | eval services_nonum = mvindex(tmp3,0)| stats count by services
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now it is working Thank you very much I removed_nonum..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your stats command counting by services? I had changed the name in my example to services_nonum. You could either use that or change that to services and leave the stats command line alone.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Other than split there is any other way to do it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
If signature_id has these values: AV:EC2:ES:401 and AV:EC2, then your query need to be edited like this:
index=aws sourcetype=description |dedup signature_id |eval tmp=split(signature_id,":") |eval services=mvindex(tmp,1)|stats count by services
you can use rex command as well
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Split is working..Can you do one correction It showing like EC2-007 and CLT-005. Now i want to remove that -007 or -005. I want only EC2 or CLT to display
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
