Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the Splunk SPL for matching same values and output to an additional column with a newly defined value?

mbasharat
Builder
‎02-21-2019 11:47 AM

Hi,

I have a field named OS

This field is populating multiple values such as below after running the following SPL:

| inputlookup Host.csv
| stats dc(host) as Count by OS
| fields - Count

Result:

WINDOWS NT
WINDOWS SERVER 2003
WINDOWS SERVER 2008
WINDOWS SERVER 2012
LINUX
LINUX 6.7
LINUX 7.0
SOLARIS 9
SOLARIS 10

I want an additional column in results that if:

All the Windows above should display Windows
All the Linux above, should display Linux
and so on in an additional column like below:

alt text

How? I tried to use eval and case but seems like not getting it or having a long day.

Thanks in-advance

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎02-21-2019 11:57 AM

Based on OS values you posted in question, something like this would work (assuming first letter in the OS value is OS Group)

| inputlookup Host.csv
| stats dc(host) as Count by OS
| fields - Count
| eval OS_Group=mvindex(split(OS," "),0)

If you know that available OS values are Static, you can do this eval-case implementation

| inputlookup Host.csv
| stats dc(host) as Count by OS
| fields - Count
| eval OS_Group=case(match(OS,"LINUX"),"Linux", match(OS,"WINDOWS"), "Windows", match(OS,"SOLARIS"), "Solaris",...other matches will come here..., true(),"Default Group Value Here")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-21-2019 01:27 PM

Hi @mbasharat

You can try this also

| inputlookup Host.csv 
| stats dc(host) as Count by OS 
| fields - Count 
| rex field=OS "(?P<os>^([\w\-]+))" 
| eval os = upper(substr(os,1,1)).lower(substr(os,2))
0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎02-22-2019 05:24 AM

Hi @ vnravikumar

This one worked too with slight adjustment with my need. I am going to up-vote this as well. Thanks.

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-22-2019 02:37 PM

Thanks. Please up vote.

Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎02-21-2019 11:57 AM

Based on OS values you posted in question, something like this would work (assuming first letter in the OS value is OS Group)

| inputlookup Host.csv
| stats dc(host) as Count by OS
| fields - Count
| eval OS_Group=mvindex(split(OS," "),0)

If you know that available OS values are Static, you can do this eval-case implementation

| inputlookup Host.csv
| stats dc(host) as Count by OS
| fields - Count
| eval OS_Group=case(match(OS,"LINUX"),"Linux", match(OS,"WINDOWS"), "Windows", match(OS,"SOLARIS"), "Solaris",...other matches will come here..., true(),"Default Group Value Here")
0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎02-21-2019 12:26 PM

@ somesoni2

Is it possible to do something like this for matching before and after?

| inputlookup Host.csv
| stats dc(host) as Count by OS
| fields - Count
| eval OS_Group = case(match(OS,"%LINUX%"),"Linux", match(OS,"%WIN%"), "Windows", match(OS,"%SOL%"), "Solaris", true(),"OS")

OR

  • | eval OS_Group = case(match(OS,"asterikLINUXasterik"),"Linux", match(OS,"asterikWINasterik"), "Windows", match(OS,"asterikSOLasterik"), "Solaris", true(),"OS")

I have a long list of different versions of several OSs and I want an additional column so I can categorize them in an OS_Group and then use these for drop down filter menus.

Also, What is this true() doing here?

Thx

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎02-21-2019 12:53 PM

If you're using match function like I mentioned in my answer, you don't have to use a wildcard (e.g. % OR *). The match(OS,"LINUX") will check if value of field OS contains word LINUX (not doing exact match). You'd see the results when you actually run the search. It is same as like(OS,"%LINUS%%") and match(OS,".*LINUX.*").

The function true() (which is always true) is the condition I added to allow default value (means if value of field OS doesn't match any of your match, this value will be used).

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎02-21-2019 01:15 PM

Sounds good. I used second option and accomodated in my need. Worked great. Thanks @somesoni2

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...