Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify field values?

Splunkuser18
Engager
‎07-14-2018 12:12 AM

Hi

I have the following fields (FileName and FileSize) that I'd like to turn into the example table below. How can I remove the commas and the opening and closing square brackets from the field values?

FileName
-----------
[]  <--- empty
[yellow.png, orange.jpg, green.gif]
[yellow.png, orange.jpg]

FileSize
-----------
[0]
[4321, 45678, 321]
[4321, 45678]

Table example
------------------------------------------------------
|   FileName      |     FileSize    |   Count
------------------------------------------------------
|   yellow.png    |     4321         |  2
|   orange.jpg    |     45678        |  2
|   green.gif    |  321          |  1

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-14-2018 12:57 AM

Hi @Splunkuser18,

Try this,

"base search to extract FileName and FileSize"|table FileName,FileSize|eval FileName=replace(FileName,"\[|\]","")|eval FileSize=replace(FileSize,"\[|\]","")
|eval FileName=if(FileName=="","EMPTY",FileName)
|makemv delim="," FileName|makemv delim="," FileSize|eval zipped=mvzip(FileName,FileSize)|fields zipped
|mvexpand zipped|eval splitted=split(zipped,",")|eval FileName=mvindex(splitted,0),FileSize=mvindex(splitted,1)|fields FileName,FileSize
|stats count ,values(FileSize) as FileSize by FileName
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-14-2018 11:02 AM

Like this:

Your Search Here
| foreach * [ rex field=<<FIELD>> mode=sed "s/[\s\[\]]//g" | makemv delim="," <<FIELD>> ]
| eval tuple=mvzip(FileName, FileSize)
| fields tuple
| mvexpand tuple
| rex field=tuple "^(?<FileName>[^,]+),(?<FileSize>[^,]+)$"
| stats count avg(FileSize) AS FileSize BY FileName
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-16-2018 07:14 AM

Did you try any others? This one is simpler...

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-14-2018 10:53 AM

Like this:

Your Search Here
| eval _count=0
| foreach * [ rex field=<<FIELD>> mode=sed "s/[,\[\]]//g"
            | eval _count = _count + if(isnotnull(<<FIELD>>), 1, 0) ]
| rename _count AS count
0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-14-2018 12:57 AM

Hi @Splunkuser18,

Try this,

"base search to extract FileName and FileSize"|table FileName,FileSize|eval FileName=replace(FileName,"\[|\]","")|eval FileSize=replace(FileSize,"\[|\]","")
|eval FileName=if(FileName=="","EMPTY",FileName)
|makemv delim="," FileName|makemv delim="," FileSize|eval zipped=mvzip(FileName,FileSize)|fields zipped
|mvexpand zipped|eval splitted=split(zipped,",")|eval FileName=mvindex(splitted,0),FileSize=mvindex(splitted,1)|fields FileName,FileSize
|stats count ,values(FileSize) as FileSize by FileName
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...