Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can we categorize the into fields based on the value of the field?

vrmandadi
Builder
‎11-15-2017 08:40 AM

Hello,

I have the below field with values

Source

abc_hd
xyz_hd
ppp
sqr_sd
aaa_sd

I want to create a new field called version with values as SD and HD,all the values with the _HD are HD and the other is counted as SD LIKE BELOW

Version
SD-3
hd-2

Tags (1)
0 Karma
Reply

elliotproebstel
Champion
‎11-15-2017 09:07 AM

For this, I'd use a case statement and evaluate the field value with like to find the matching values and then use eventstats to count the matches before appending the type and count to create the desired Version field:

[ base search ] | eval type=case(like(Source, "%_hd"), "HD", like(Source, "%_sd"), "SD") | eventstats count BY type | eval Version=type."-".count | fields - type count
0 Karma
Reply

vrmandadi
Builder
‎11-15-2017 09:18 AM

hello elliotproebstel,

the SD ones some have _SD and some dont ,I tried your query but this not show any results

0 Karma
Reply

elliotproebstel
Champion
‎11-15-2017 11:12 AM

Ah, yes, I missed that nuance. Sorry! Try this:

 [ base search ] | eval type=if(like(Source, "%_hd"), "HD", "SD") | eventstats count BY type | eval Version=type."-".count | fields - type count

That should assign HD as the type for events containing _hd and assign SD as the type for all others.

Reply

vrmandadi
Builder
‎11-15-2017 01:29 PM

Thank you ,I tried this | eval Version=if(match(Source,"_hd"),"HD","SD")
| stats count by Version

I was actually using wild character and it was throwing error

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-15-2017 08:59 AM

Hi vrmandadi
try something like this

your_search
| rex field=source "(?<HD>hd|HD)$"
| eval Version=if(HD=*,"HD","SD")
| stats count BY Version

Bye.
Giuseppe

0 Karma
Reply

vrmandadi
Builder
‎11-15-2017 09:14 AM

Hi cudello,
I am getting the below error

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*,"HD","SD")'.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-16-2017 02:29 AM

try

your_search
 | rex field=source "(?<HD>hd|HD)$"
 | eval Version=if(HD="*","HD","SD")
 | stats count BY Version

Bye.
Giuseppe

0 Karma
Reply

somesoni2
Revered Legend
‎11-15-2017 08:59 AM

You can try like this (function coalesce is setting sd as default value of no version if found on Source)

your search with field Source
| eval Version=coalesce(mvindex(split(Source,"_"),-1),"sd")
| stats count by Version
0 Karma
Reply

vrmandadi
Builder
‎11-15-2017 09:14 AM

Hi somesoni2 it only extracted HD

0 Karma
Reply

somesoni2
Revered Legend
‎11-15-2017 09:20 AM

Can you post some sample (if possible real value with sensitive data replaced with dummy char, try to keep the punctuations) where it failed to extract? It assumes that last segment after underscore is version in the values of field Source.

0 Karma
Reply

somesoni2
Revered Legend
‎11-15-2017 09:25 AM

Also give this a try

your search with field Source
 | eval Version=if(match(Source,"_hd"),"HD","SD")
 | stats count by Version
Reply

vrmandadi
Builder
‎11-15-2017 09:38 AM

This one worked ,I was using this one but I was using wildcharater * which was throwing me an error

Thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...