Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I make splunk read one word as another?

BITSIntern
Path Finder
‎07-14-2015 07:58 AM

Hi guys,

I am inputting wordlists into splunk and in some of the wordlists there are certain words like "racist" and then "race" where they are similar.

My wordlists look like this:
race, 23
racist, 2
test, 12
testing, 22

Where "race" is in the field "word" and "23" is in the field "count".

I need to figure out a way to tell splunk to read "racist" and "race" as the same word such that when I create a dashboard in pivot where the x-axis is "word" and the y-axis is "count", the first 2 lines of my example are "race, 25" (making the x-axis say "race" and have the column reach to 25 on the y-axis).

I had done this before with ip addresses having splunk read the source and destination and make them add the count if they were the same but I can't figure this out.

If you know how to create a search such that this works please let me know! Also, if you do not fully understand what I am saying please feel free to ask for clarification.

Thanks!

Tags (3)
0 Karma
Reply

maciep
Champion
‎07-14-2015 08:06 AM

so something like this maybe?

.... | eval word = if (word="racist","race",word) | stats count by word

If you have more words to do something similar with, then maybe a case statement would be better than an if. And if you have a lot of words to worry about and they may be updating often, then a lookup might be best.

I don't do a whole lot with pivot myself, but I think you can use the above example to create an evaluated field maybe?

Reply

BITSIntern
Path Finder
‎07-14-2015 08:29 AM

That helped a lot but because the count for the words is in the actual document that I uploaded I need to use pivot so I can control the y-axis, but I don't think I can anymore since it created a statistical report. Do you have any other suggestions?

Thanks!

0 Karma
Reply

maciep
Champion
‎07-16-2015 05:57 AM

again, I don't do much with pivot. Did you create the data model? Or are you just using it? Do you have to use pivot or can you just search the data directly?

It's hard to really give you a good answer without better understanding the situation. But I'm sure there is a way to do this.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...