Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to use 2 evals in the query on the basis of regex check.

abhinav_aashish
Explorer
‎07-19-2021 05:39 AM

I've the following data in my table

part1.part2.answer.local
part1-part2..part3.part4.answer.net
part11.part11-part11.answerxyz.net
part1-part2-part3-part4.answer.net
part1-part2-part3-part6.answer.com

part127.09 abcd (+789)
part127.08 abcd (+123)
part127.06 abcd (+456)


I want to split it as follows :
1.) If there is a space present in the data then it should be returned exactly as it is

input-------------------------------------output
part127.09 abcd (+789)-------- part127.09 abcd (+789)
part127.08 abcd (+123)------- part127.08 abcd (+123)
part127.06 abcd (+456) --------part127.06 abcd (+456)

2.) If there is no space then the part before the first dot should be returned

input------------------------------------------------------ output
part1.part2.answer.local ----------------------------------part1
part1-part2..part3.part4.answer.net------------------- part1-part2
part11.part11-part11.answerxyz.net ------------------part11
part1-part2-part3-part4.answer.net -------------------part1-part2-part3-part4
part1-part2-part3-part6.answer.com------------------part1-part2-part3-part6


I've tried this :

 

 

 

index=ind sourcetype=src
| fields f1
| where f1 != "null"
| dedup f1
| eval temp=f1

| eval derived_name_having_space=if(match(f1,"\s*[[:space:]]+"),1,0)

| eval with_Space=f1
| where derived_name_having_space=1

| eval without_Space=mvindex(split(temp,"."),0)
| where derived_name_having_space=0

| table with_Space without_Space f1

 

 

 

Here I'm not getting any rows returned.


--------------------------------------------------------------------------
But , In the above query when I remove the part

 

 

 

| eval without_Space=mvindex(split(temp,"."),0)
| where derived_name_having_space=0

 

 

 

I get the correct results of the rows where derived_name_having_space=1 .
---------------------------------------------------------------------------

Similarly, when I remove the part

 

 

 

| eval with_Space=f1
| where derived_name_having_space=1

 

 

 

I don't get the correct results of the rows where derived_name_having_space=0 .

input ---------------------------------------------output
part127.09 abcd (+789)-------------------- -part127
part127.08 abcd (+123) -------------------- part127
part127.06 abcd (+456) -------------------- part127

Since they all evaluate to the same result it creates a problem while deduping.
-------------------------------------------------------------------------------


I've used the regex class from here : https://www.debuggex.com/cheatsheet/regex/pcre

Can anyone point me where I'm missing it or any other approach should be followed?
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-19-2021 07:32 AM

Try this query.  The conditional logic is handled by the if function within the eval statement.

index=ind sourcetype=src
| fields f1
| where f1 != "null"
| dedup f1
| eval f1=if(match(f1,"\s*[[:space:]]+"),f1,mvindex(split(temp,"."),0))
| table f1

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-19-2021 05:48 AM

The query has conflicting where statements.  The first where reduces the results to those with the value 1 in the derived_name_having_space field.  The next where says to show only the results with 0 in the same field, but the first where already eliminated those so there's nothing to display.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

abhinav_aashish
Explorer
‎07-19-2021 05:53 AM

I totally get it what you are saying but I could not find other way.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-19-2021 07:32 AM

Try this query.  The conditional logic is handled by the if function within the eval statement.

index=ind sourcetype=src
| fields f1
| where f1 != "null"
| dedup f1
| eval f1=if(match(f1,"\s*[[:space:]]+"),f1,mvindex(split(temp,"."),0))
| table f1

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

abhinav_aashish
Explorer
‎07-20-2021 01:37 AM

Thanks @richgalloway .
It worked.

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...