Solved: Re: use partial data from a field in reports

bhartmann · ‎05-06-2018

Hi,

We have a version field with 4 numbers, for instance 2018.1.0.1234 (major.minor.patch.build)

One report will need the full version number, but we also want a chart which essentially throws away patch.build (leaving just values such as 2018.0, 2018.1, etc.). Of course we could send the data with a second key to get the shorter values, but I assume there are better ways so we can keep our data throughput down.

Would appreciate help with example(s) of how to achieve this.

Thanks!

adonio · ‎05-06-2018

hello there,

many ways to go about this one, here is a sample using the | rex command to create 4 fields as you asked above.
run this search anywhere to check:

    | makeresults count=1 
    | eval version="2018.1.0.1234,2018.2.0.1234,2018.1.2.1234,2018.1.0.1235"
    | makemv delim="," version
    | mvexpand version
    | rex field=version "(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)\.(?<build>\d+)"

from here you can go many ways, for example"
| eval major_minor = major.".".minor

hope it helps

View solution in original post

adonio · ‎05-06-2018

hello there,

many ways to go about this one, here is a sample using the | rex command to create 4 fields as you asked above.
run this search anywhere to check:

    | makeresults count=1 
    | eval version="2018.1.0.1234,2018.2.0.1234,2018.1.2.1234,2018.1.0.1235"
    | makemv delim="," version
    | mvexpand version
    | rex field=version "(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)\.(?<build>\d+)"

from here you can go many ways, for example"
| eval major_minor = major.".".minor

hope it helps

use partial data from a field in reports

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases