Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How normalize field values that have slightly different field values? Regex? Match? Replace?

UMDTERPS
Communicator
‎06-09-2021 02:03 PM

Hi! 👨‍💼


I am a little stuck on how to normalize "Operating System" data I have.  Currently, we have a field called "Operating System" our data looks something like this:

 

Operating System

Windows 10        Enterprise
Windows 10 
Windows 10 enterprise 
Windows 10 
windows 10 
windows 10 20H2
Windows 10 V2004
windows 10 2004
Windows Server 
windows server
RHEL8
RHEL 8
rhel8
rhel 8
rhel 8.6
Linux Server rel 8
Windows 2012r2
Windows Server 2012 R2
Windows Server 2012

 

After I did a stats count (because data isn't normalized) we have 170+ operating systems.  What is the most efficient way to normalize data without writing 170+  "replace" or "match" statements?

For example, how would I make the following just "RHEL 8": 

RHEL8
RHEL 8
rhel8
rhel 8
rhel 8.6
Linux Server rel 8

Thanks!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-09-2021 03:54 PM 
| eval os=case(match(os,"(?i)rhel\s*8[\d\.]*"),"RHEL 8",match(os,"Linux Server rel 8"),"RHEL 8",match(os,"(?i)\s*windows\s10.*"),"Windows 10",match(os,"Windows (|Server )2012.*"),"Windows Server 2012",1==1,os)

and so on

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-09-2021 03:02 PM

What do you mean by "normalize"? Do you want all the Windows * operating systems to be simply Windows, and all the rest to be *nix for example?

0 Karma
Reply
Solved! Jump to solution

UMDTERPS
Communicator
‎06-09-2021 03:39 PM

For example, how would I make the following just "RHEL 8": 

RHEL8
RHEL 8
rhel8
rhel 8
rhel 8.6
Linux Server rel 8

For example, how would I make the following just "Windows 10":

 Windows 10 Enterprise
Windows 10
Windows 10 enterprise
Windows 10
windows 10
windows 10 20H2
Windows 10 V2004
windows 10 2004

For example, how would I make the following just "Windows Server 2012":

Windows 2012r2
Windows Server 2012 R2
Windows Server 2012

Etc...

Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-09-2021 03:54 PM 
| eval os=case(match(os,"(?i)rhel\s*8[\d\.]*"),"RHEL 8",match(os,"Linux Server rel 8"),"RHEL 8",match(os,"(?i)\s*windows\s10.*"),"Windows 10",match(os,"Windows (|Server )2012.*"),"Windows Server 2012",1==1,os)

and so on

Reply
Solved! Jump to solution

UMDTERPS
Communicator
‎06-10-2021 07:53 AM

Doesn't seem to be working. For example, the field we have for OS is called "Operating System" and there is one entry that is "RHEL 8."  The following SPL, 

 

|eval "os"=case(match("os","RHEL 8"),"RHEL 8")
|fields ip "system" os

 


The search runs, no errors, but the search returns  nothing for "os:"

IP                         system    os
192.168.1.1      ABC 

"os" is blank, any ideas?

Thanks!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-10-2021 07:57 AM

If your field name has spaces in you need to enclose it is single quotes not double quotes.

Reply
Solved! Jump to solution

UMDTERPS
Communicator
‎06-10-2021 11:51 AM

Ahh Yes! Thanks!  It works now!  Karma Granted!

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top