- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I make splunk read one word as another?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I make splunk read one word as another?
Hi guys,
I am inputting wordlists into splunk and in some of the wordlists there are certain words like "racist" and then "race" where they are similar.
My wordlists look like this:
race, 23
racist, 2
test, 12
testing, 22
Where "race" is in the field "word" and "23" is in the field "count".
I need to figure out a way to tell splunk to read "racist" and "race" as the same word such that when I create a dashboard in pivot where the x-axis is "word" and the y-axis is "count", the first 2 lines of my example are "race, 25" (making the x-axis say "race" and have the column reach to 25 on the y-axis).
I had done this before with ip addresses having splunk read the source and destination and make them add the count if they were the same but I can't figure this out.
If you know how to create a search such that this works please let me know! Also, if you do not fully understand what I am saying please feel free to ask for clarification.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so something like this maybe?
.... | eval word = if (word="racist","race",word) | stats count by word
If you have more words to do something similar with, then maybe a case statement would be better than an if. And if you have a lot of words to worry about and they may be updating often, then a lookup might be best.
I don't do a whole lot with pivot myself, but I think you can use the above example to create an evaluated field maybe?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That helped a lot but because the count for the words is in the actual document that I uploaded I need to use pivot so I can control the y-axis, but I don't think I can anymore since it created a statistical report. Do you have any other suggestions?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
again, I don't do much with pivot. Did you create the data model? Or are you just using it? Do you have to use pivot or can you just search the data directly?
It's hard to really give you a good answer without better understanding the situation. But I'm sure there is a way to do this.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
