Re: How can I add list of field values into an ar...

power12 · ‎06-10-2024

I have a search that outputs the hostlist by test.

index=abc | stats count by host test | stats count as total_count values(host) as host_list by test which gives me list of hosts by test like below

test	host_list
new	abc0002 abc0003 abc0004 abc0005 abc0006 abc0007 abc0008 abc0009 abc0010 abc0011 abc0012 abc0013 abc0014 abc0015 abc0016 abc0017 abc0018 abc0019 abc0020 abc0022 abc0024 abc0025 abc0026 abc0027 abc0028 abc0029 abc0031

II would like to group the range of host like [abc0002-abc0020] [abc0022] [abc0024-abc0029] [abc0031] instead of the whole list by test like below image

test	host_list	host_array
new	abc0002 abc0003 abc0004 abc0005 abc0006 abc0007 abc0008 abc0009 abc0010 abc0011 abc0012 abc0013 abc0014 abc0015 abc0016 abc0017 abc0018 abc0019 abc0020 abc0022 abc0024 abc0025 abc0026 abc0027 abc0028 abc0029 abc0031	[abc0002-abc0020] [abc0022] [abc0024-abc0029] [abc0031]

Thank you in Advance Splunkers

bowesmana · ‎06-10-2024

I see you asked this in Slack, but you can use foreach on your final data example, there could be a better way to work it out in the foreach. Not sure what you want to do about the host name prefix, but if it's fixed you can add it back

| makeresults format=csv data="host_list
abc0002
abc0003
abc0004
abc0005
abc0006
abc0007
abc0008
abc0009
abc0010
abc0011
abc0012
abc0013
abc0014
abc0015
abc0016
abc0017
abc0018
abc0019
abc0020
abc0022
abc0024
abc0025
abc0026
abc0027
abc0028
abc0029
abc0031"
| eval test="new"
| stats values(host_list) as host_list by test

``` Above is creating your example data ```

``` Get the numeric part ```
| rex field=host_list max_match=0 "(?<prefix>[^0-9]*)(?<id>\d+)"
| eval c=0
| foreach id mode=multivalue [ eval n=<<ITEM>>, diff=n-prev, ss=case(isnull(ss), mvindex(prefix, c).<<ITEM>>, diff>1, mvappend(ss, mvindex(prefix, c).<<ITEM>>), true(), ss), ee=case(isnull(ss), null(), diff>1, mvappend(ee, r), true(), ee), r=mvindex(prefix, c).<<ITEM>>, prev=n, c=c+1 ]
| eval ee=mvappend(ee, r)
| eval ranges=mvzip(ss, ee, "-")
| fields - diff id n prev r ss ee c

bowesmana · ‎06-11-2024

Based on your Slack response, I think this is what you will want

...your search ...
| rex field=host_list max_match=0 "(?<prefix>[^0-9]*)(?<id>\d+)"
| eval prefix=mvdedup(prefix)
| foreach id mode=multivalue [ eval n=<<ITEM>>, diff=n-prev, ss=case(isnull(ss), n, diff>1, mvappend(ss, n), true(), ss), ee=case(isnull(ss), null(), diff>1, if(r=mvindex(ss,-2), mvappend(ee, " "), mvappend(ee, r)), true(), ee), r=n, prev=n ]
| eval ee=if(r=mvindex(ss,-1), mvappend(ee, " "), mvappend(ee, r))
| eval ranges=prefix."[".mvjoin(rtrim(mvzip(ss, ee, "-"), "- "), ",")."]"
| fields - diff id n prev r ss ee

KendallW · ‎06-10-2024

Hi @power12 try something like this (assuming the host names all follow the same format)

index=abc
| rex field=host "(?<hostname>\w+)(?<hostnum>\d+)"
| eval hostnum=tonumber(hostnum)
| eval hostgroup=case(hostnum>=2 AND hostnum<=20, "group1", hostnum=22, "group2", hostnum>=24 AND hostnum<=29, "group3", hostnum=31, "group4")
| stats count by host test hostgroup
| stats count as total_count values(host) as host_list by test, hostgroup

How can I add list of field values into an array

join

regex

stats

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?