Splunk Search

How do you combine results based on substring?

sarahw3
Explorer

I have results such as "No image", "No Images", "No images: Blank", etc. I want to combine all results that say no images into one result that I can count. How can I do this in the search bar?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

your base search
| rex "(?<Status>(No Image|Never Checked|Not Working)" 
| stats count by Status

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this

your base search
| rex "(?<Status>(No Image|Never Checked|Not Working)" 
| stats count by Status

alancalvitti
Path Finder

Why am I getting no results using substr (vs rex)? eg group by first 10 characters of my_field values:

index=my_index  | eval prefix=substr(my_field,1,10) | stats count by prefix

Ive checked that the following does return results:

index=my_index  | stats count by my_field

 

 

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Glad it worked out for you. Don't forget to close the question by accepting the answer that worked.

sarahw3
Explorer

Now it is not working for me. Is there a way to say if the string starts with No Images, keep the first 9 characters of that string and forget the rest? Ex. "No Images- Computer failed" would be cut to just "No images"?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Sure, try like this

your base search
 | eval Status=case(searchmatch("No Image"),"No Images", searchmatch("Never Checked"),"Never Checked"), searchmatch("Not Working"),"Not Working") 
 | stats count by Status
0 Karma

sarahw3
Explorer

Haha sorry for all the questions! I am very new to splunk haha! So we record the name of the cameras and a few years ago we changed the format of how we enter the names. Ex. PSA turned into 07789PSA. Is there a way I can combine those two formats into one for all 100+ cameras we have? I have a dropdown menu and I want each camera have just one option so that all the data for that one camera is together.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I'm pretty sure you can but I need to know more before I can suggest something. Does camera name comes as part of a field or raw? What is the current dropdown query?

0 Karma

sarahw3
Explorer

It is raw data. We manually put the status of the camera next to the camera name in a google sheet which I have put into Splunk. The dropdown lets me choose the name of the facility and then I have another dropdown that will then let you select the name of the camera in that location that you want. The problem is that PSA and 07789PSA are both shown on the dropdown menu. I want to be able to combine them so all the data from the camera is being used by the panels on the dashboard.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Ok.. Just need your current Camera Name dropdown query.

0 Karma

sarahw3
Explorer

It is Camera_Location

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Add following eval to your dropdown query

| eval Camera_Location=replace(Camera_Location,"^\d+","")
0 Karma

sarahw3
Explorer

Brilliant!!! Thank you!!!!!!

0 Karma

sarahw3
Explorer

Yay that worked perfectly!!! Thank you so so so so so much!!!!!!

0 Karma

mipeters_splunk
Splunk Employee
Splunk Employee

if that is the case you should have not just accepted the answer but also upvoted it 😉

0 Karma

rbreton
Path Finder

Have you tried using an 'if' function.
| eval new-field = if(your-field = "No image*" , "No Image" , your-field)

0 Karma

rbreton
Path Finder

I have a similar search. See if this can help...
| eval status = if(like(status, "No Image%"), "No image", status)
| stats count by status

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI sarahw3,
if you want the number of "No images" try something like this

your_search "No image*"| stats count

Bye.
Giuseppe

0 Karma

sarahw3
Explorer

I also have other results, like "Not Checked" and "Working". Is there a way I can display those counts as well as the combo of "No images"?

0 Karma

gcusello
SplunkTrust
SplunkTrust

insert all these values in a lookup (e.g. called No_Images.csv with one column called query) and run a search like this

your_search [ | inputlookup No_Images.csv | fields query ] | stats count

In this way you search for all strings in your lookup.

Bye.
Giuseppe

0 Karma

sarahw3
Explorer

It is still not working for me. I have the following events and their frequency when I do stats count by Status:
No Image: 30
No Images: 15
No image-Blank: 40
No image-Rebooted: 21
Never Checked: 132
Not Working: 21

I would like it to display like the following:
No Images: 106
Never Checked: 132
Not Working: 21

I have very little experience with Splunk so I apologize for not understanding. I really appreciate your help!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...