Splunk Search

Any better way to rename

Maniteja81
New Member

Hi this is my data structure, i'm trying to rename clk1 , clk2, clk3 as something like this | rename clk* as *

But if i want to access the data beneath clk1 or clk2 then i need to use *.f1, *clk_name.

Please note: This data structure will increase as well, doing like this is not feasible for me.

Please suggest me any better way. Also i tried doing spath and regex (spath path=clk* output=tmp | rex field=tmp "clk\d*\":(?)") as well but this too did not help.

 clk1:  {   [-] 
     f1:     1322   
     ctrl:   abcd   
     clk_name:   clk1   
     f2:     10 
     fmode:  bold   
}   
 clk2:  {   [+] 
}   
 clk3:  {   [-] 
     ctrl:   cdbd   
     clk_name:   clk4   
     f1:     100    
     fmode:  bom    
}   
 clk4:  {   [+] 
}   
 clk5:  {   [+] 

Can you guys please help me on this.

0 Karma

Sukisen1981
Champion

it is s bit unclear what you want but try out the below 2 pieces of code and let us know if it is aything similar to what you need -
Code 1:

| makeresults 
|  eval tmp="clk1:    {    [-]    
      f1:     1322    
      ctrl:     abcd    
      clk_name:     clk1    
      f2:     10    
      fmode:     bold    
   }    
    clk2:    {    [+]    
   }    
    clk3:    {    [-]    
      ctrl:     cdbd    
      clk_name:     clk4    
      f1:     100    
      fmode:     bom    
   }    
    clk4:    {    [+]    
   }    
    clk5:    {    [+]    "
| rex field=tmp "(?ms)clk\d+\:+\s+\{+\s+\[+\-+\](?<clk>.*?)}" max_match=0
| fields clk
| fields - _time
| mvexpand clk
| rex field=clk "\w+\:(?<data>.*)" max_match=0
| mvexpand data

Code 2:

    | makeresults 
    |  eval tmp="clk1:    {    [-]    
          f1:     1322    
          ctrl:     abcd    
          clk_name:     clk1    
          f2:     10    
          fmode:     bold    
       }    
        clk2:    {    [+]    
       }    
        clk3:    {    [-]    
          ctrl:     cdbd    
          clk_name:     clk4    
          f1:     100    
          fmode:     bom    
       }    
        clk4:    {    [+]    
       }    
        clk5:    {    [+]    "
    | rex field=tmp "(?ms)clk\d+\:+\s+\{+\s+\[+\-+\](?<clk>.*?)}" max_match=0
    | fields clk
    | fields - _time
    | mvexpand clk
    | rex field=clk "f1\:(?<f1>.*)"
    | rex field=clk "ctrl\:(?<ctrl>.*)"
    | rex field=clk "clk_name\:(?<clkname>.*)"
    | rex field=clk "f2\:(?<f2>.*)"
    |  rex field=clk "fmode\:(?<fmode>.*)"
0 Karma

Maniteja81
New Member

Hi,

Thanks for your reply, i'm looking for a query to access the elements clk1, clk2, clk3.

For suppose if i'm trying to access clk_ctrl key name which is present the clk3 hash.

Then my query would like rename clk3.* as * | table clk_ctrl , something like this.

But the above one is just hard coding, please note this is just a few data. There will be lot of hashes will come.

So that's the reaon i'm checknig with you guys if there is any better way to access the hash elements , without hardcoding this clk1, clk2 or clk3 hashes.

0 Karma

Sukisen1981
Champion

hi @Maniteja81 - clk_ctrl name is present in bith clk3 as well as clk1 hash in your example.
Are you trying to say the field name clk3 or clk1 is not consistent and can come with any other name as well?
Sorry, i am not able to understand, you could write a simple regex something that extracts values between the } and the : , so you would get all clk values at one go?
}

clk4:

0 Karma

Maniteja81
New Member

Yes the field names clk3 or clk1 can be any name and can be so many hashes.

Like clk1: {
}
clk2: {
}
clk3: {
}
.
.
.
clk20: {
}

My only problem is, how to access the elements inside these clk hashes.

I can not hardcode this in my query.

You are saying to use regex, can you please provide me one example

0 Karma

Sukisen1981
Champion

Hi @Maniteja81
I understand that it can be from clk1 ....clk100 or even more, but the first characters will always be starting with clk for the main hash?
I had pasted 2 codes in my first answer, can you try out the first code and see the values of clk and data fields, is that something near to what you need?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...