- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I use a value in an existing field to c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to create a new field called TYPE, which is dependent on the word "summary" or "detail" appearing in the TITLE field, so I can then count by TYPE.
I successfully filtered my logs to identify reports with "summary" or "detail" in the title:
|search(title="*summary*" OR "*detail*")
Then, I tried to create TYPE and set its output values to "Report Summary" or "Detailed Report":
|eval type=if(match(title,"*summary*"), "Report Summary", match(title, "*detail*"), "Detailed Report")
I also tried doing a field extraction, but the title field does not appear in the Select Fields box to be highlighted.
I'm stuck. Please help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your stacked if should really be a case and your RegEx like this:
index=YouShouldAlwaysSpeciryAnIndex sourcetype=AndSourcetypeToo title="*summary*" OR "*detail*"
| eval type=case(match(title, "(?i)summary"), "Report Summary",
match(title, "(?i)detail"), "Detailed Report",
true(), "THIS SHOULD NEVER EVER HAPPEN")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ejohn, since both answers worked, why don't you choose the one that runs the quickest, or consumes the least CPU/RAM or whatever you like, and then mark it as the answer and upvote both?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jkat54, thanks for the suggestion. I decided to accept the answer with the higher EPS.
Adding each eval to the rest of my search against 10 months of logs in Verbose mode:
|eval type=case(match(title...) returned 14,190 EPS
and
|eval type=if(match(title...)returned 13,408 EPS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jkat54 and @woodcock this is my first real attempt a crowdsourcing and I like it! You guys have been awesome!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @ejohn, anytime sir! That's what we do. Feel free to tag us when needed. @woodcock almost always has the best answer but I keep trying!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your stacked if should really be a case and your RegEx like this:
index=YouShouldAlwaysSpeciryAnIndex sourcetype=AndSourcetypeToo title="*summary*" OR "*detail*"
| eval type=case(match(title, "(?i)summary"), "Report Summary",
match(title, "(?i)detail"), "Detailed Report",
true(), "THIS SHOULD NEVER EVER HAPPEN")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick response!
I tried this with * and with .* for wildcards, but I get the following error:
Error in 'eval' command: The arguments to the 'searchmatch' function are invalid.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was adding features to searchmatch in my mind! Try updated answer instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I changed * to .* in the eval and it worked!
Thanks so much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ARGH! You are right again. That's what I get for writing RegEx in my head. I will fix the original answer (the right answer is to not have the asterisks at all).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked too!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ejohn - if it worked, please "accept" the answer so the question will show as complete.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Match uses regular expressions so
* matches * and .* matches everything
Try this instead:
| eval type=if(match(title,".*summary.*"),"Report Summary",if(match(title, ".*detail.*"),"Detailed Report","Unknown Type"))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for responding so quickly!
This is creating the TYPE field, but it's only returning the value "unknown type". Could this have something to do with special characters in the titles?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as the titles are have lowercase summary or detail, it should work fine.
If summary can be upper or lower you can do this instead
.*[sS][uU][mM][mM][aA][rR][yY].*
Same syntax for details.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once I capitalized summary and detail it worked. Now I know how to account for upper and lower too.
Thanks for the help!
Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!
Splunk and Fraud
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
