I was trying to create calculated fields as field values are huge. For 1 field I could do that. For other field where values are lengthy i could not do with eval replace
EVAL-Category = replace('Category',"Change Request","CR")
EVAL-Category = replace('Category',"Central Functions","CF")
EVAL-Category = replace('Category',"Materials Management (MM)","MM")
Also tried with query - index="myindex"| stats values(Category) |eval Category = replace(Category,"Change Request","CR") is not working
Values are like Change Request-Structural Method-blah blah.. I want to replace with short form for values.. How to get that? Please suggest
Thanks for response everyone.. None of these are working.. My field values are like "Change Request - HR & Payroll - Time Management (TM)" and "Change Request - Logistics - Materials Management (MM)".. I have to replace part of the string in each field value.. Im able to get this done with rex and sed..
rex field=categories mode=sed "s/Change Request/CR/" |rex field=categories mode=sed "s/Central Functions/CF/"
But i want to add this as calculated field using eval.. Any ideas on this..? Thanks a lot..
I used "Eval Case" to replace the values similar to this. We ended up using a lookup table, since there were 70 possible values and the query was thus very long.
Here's a snippet of my code that you could adapt. In my case, I wanted to add the more verbose value. So PEGA0001 was replaced with the longer version after the comma. The 1=1, "Google It.." at the end is a catch all, for any value not defined in the case string.
|eval PegaAlertV=case(PegaAlert="PEGA0001","PEGA0001-HTTP interaction time exceeds limit",
PegaAlert="PEGA0002","PEGA0002-Commit operation time exceeds limit",
PegaAlert="PEGA0003","PEGA0003-Rollback operation time exceeds limit",
PegaAlert="PEGA0004","PEGA0004-Quantity of data received by database query exceeds limit",
PegaAlert="PEGA0056","PEGA0056-Defragmentation of the table associated with class System-Locks takes too long",
1=1,"Google It..")
-JD
Try this:
query - index="myindex"| stats values(Category) | replace "Change Request" WITH "CR" IN Category
All in one go:
query - index="myindex"
| stats values(Category)
| replace "Change Request" WITH "CR"
, "Central Functions" WITH "CF"
, "Materials Management (MM)" WITH "MM" IN Category
index="myindex"| stats values(Category) |eval Category = replace(Category,"Change Request","CR")
replace should not be used like this with eval, i think. i remember this one should be "Case"
please try -
index="myindex"| stats values(Category) |eval Category = case(Category,"Change Request","CR")