Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you separate fields into different variables based on the beginning letter of field?

ibdubs
Explorer
‎03-28-2019 08:03 AM

So I'm sure I'm missing something obvious, but I cannot for the life of me find something similar to what I'm looking for.

I'm trying to take a search that returns all Accounts that have changed their password, and separate them into the 3 different types of accounts I have with a count.

The different accounts start with different letters, which can be searched with Account_Name=R* to get the R account type.

Index=foo EventCode=bar | act1=count(if Account_Name=R*), act2=count(if Account_Name=D*)...etc |table act1 act2 act3

I tried my best to find this, but I simply cannot figure out where to start with that conditional.

Thank you in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DMohn
Motivator
‎03-28-2019 08:17 AM

Try this:

index=foo EventCode=bar | eval Account_Type=case(Account_Name=="R*","AccountType1",Account_Name=="D*","AccountType2",Account_Name=="X*","AccountType3",1==1,"unknown" | stats count by Account_Type

View solution in original post

Reply
Solved! Jump to solution

ibdubs
Explorer
‎03-28-2019 08:49 AM

noted in a comment below
index=foo EventCode=bar | eval Account_Type=case(like(Account_Name,"R%"),"AccountType1",like(Account_Name,"D%"),"AccountType2",like(Account_Name,"X%"),"AccountType3",1==1,"unknown") | stats count by Account_Type

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-28-2019 08:18 AM

You would need to use string match functions of eval e.g. like or match for it.

 index=foo EventCode=bar | eval act1=count(like(Account_Name,"R%"),1,0) , act2=count(like(Account_Name,"D%"),1,0) ,acct3=count(like(Account_Name,"R%"),1,0)  | stats sum(act*) as act*
0 Karma
Reply
Solved! Jump to solution

ibdubs
Explorer
‎03-28-2019 08:30 AM

I get the below error with this version of the search

Error in 'eval' command: The 'count' function is unsupported or undefined

0 Karma
Reply
Solved! Jump to solution
Solution

DMohn
Motivator
‎03-28-2019 08:17 AM

Try this:

index=foo EventCode=bar | eval Account_Type=case(Account_Name=="R*","AccountType1",Account_Name=="D*","AccountType2",Account_Name=="X*","AccountType3",1==1,"unknown" | stats count by Account_Type
Reply
Solved! Jump to solution

ibdubs
Explorer
‎03-28-2019 08:29 AM

When I do this it labels them all as "unknown" but does contain the correct count next to it.

0 Karma
Reply
Solved! Jump to solution

DMohn
Motivator
‎03-28-2019 08:32 AM

Okay, then modify the query like this:

index=foo EventCode=bar | eval Account_Type=case(like(Account_Name,"R%"),"AccountType1",like(Account_Name,"D%"),"AccountType2",like(Account_Name,"X%"),"AccountType3",1==1,"unknown") | stats count by Account_Type
Reply
Solved! Jump to solution

ibdubs
Explorer
‎03-28-2019 08:46 AM

This did require a "," after the first accounttype1 and a parenthesis at the end (for any future users) but this works perfectly thank you! Its been driving me nuts

Reply
Solved! Jump to solution

DMohn
Motivator
‎03-28-2019 08:51 AM

Sorry, edited the typos for convenience. Glad it helped.

If you could mark the answer as accepted it would help future users 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...
Top