Splunk Search

Grouping by name

Contributor

Hi,
In my search results i have numbers like this and i would like to group them by group1 and group2.
Where group1 =263806,263807,263808,263809,263810,263811
and rest numbers should be group2

So i have used the below expression, i see group1 but group2 is not working properly

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])\$/group1/g" | rex mode=sed field=x "s/([^(26380[6-9]]\$|[^26381[0-1]]\$)/group2/g" | stats count by x

183512

217654

217655

217656

217657

224808

263806

263807

263808

263809

263810

263811

279992

279996
314724

Tags (1)
1 Solution
SplunkTrust

You'll need to specify the boundary of your numeric string. Assuming the strategy is right aggressive, you answer should look like this:

``````| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])\$/group1/g"
| rex mode=sed field=x "s/\d+/group2/g"
| stats count by x
``````

The errors in your second expression take some nuance to explain, but you do not need any complexity. If your expression for the first group is correct, just use the side effect of mode sed: the second expression will never see numbers in the first group.

Esteemed Legend

Like this:

``````| makeresults
| eval x="183512 217654 217655 217656 217657 224808 263806 263807 263808 263809 263810 263811 279992 279996 314724"
| makemv x
| mvexpand x

| rename COMMENT AS "Everything above creates test event data; everything below is your solution"

| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])\$/group1/g s/^\d+\$/group2/g"
| stats count by x
``````
SplunkTrust

You'll need to specify the boundary of your numeric string. Assuming the strategy is right aggressive, you answer should look like this:

``````| rex mode=sed field=x "s/(26380[6-9]|26381[0-1])\$/group1/g"
| rex mode=sed field=x "s/\d+/group2/g"
| stats count by x
``````

The errors in your second expression take some nuance to explain, but you do not need any complexity. If your expression for the first group is correct, just use the side effect of mode sed: the second expression will never see numbers in the first group.

Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...

Reminder! Splunk Love Promo: \$25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first <A ...