Solved: How to Split a field that is the subject of a Top ...

Naji · ‎07-24-2023

When I ran the following query:

index="myindex" sourcetype="hamlet" environment=staging
| top limit=10 client
| eval percent = round(percent)
| rename client AS "Users", count AS "Requests", percent AS "Percentage %"

I get these results:

Users	Requests	Percentage %
joe.smith@alora.com	118	21
martha.taylor@gmail.com	80	14
paul.gatsby@aol.com	68	12

What I want instead are these results

Users	Requests	Percentage %
joe.smith	118	21
martha.taylor	80	14
paul.gatsby	68	12

I hope this helps. Sorry if my original post was confusing. I appreciate your help. Thank you

Naji · ‎07-26-2023

Thank you for your response. That query did not work for me at all. Here is what worked perfectly:

index="myindex" sourcetype="hamlet" environment=staging
| rex field=client mode=sed "s/"@aol.com"|"@gmail.com"/""/g"
| eval percent = round(percent)
| rename client AS "Users", count AS "Requests", percent AS "Percentage %"

In my case, I have one single domain to worry about.

View solution in original post

yuanliu · ‎07-25-2023

The revised question does show a difference between actual output and desired output. Your original post also included commands that looks to be able to correctly make the change, something like

index="myindex" sourcetype="hamlet" environment=staging
| top limit=10 client
| eval percent = round(percent)
| eval client = mvindex(split(client, "@"), 0)
| rename client AS "Users", count AS "Requests", percent AS "Percentage %"

Using the first table to reverse engineer the output from index="myindex" sourcetype="hamlet" environment=staging | top 10 client, I write the following emulation:

| makeresults
| eval _raw = "client	count	percent
joe.smith@alora.com	118	21
martha.taylor@gmail.com	80	14
paul.gatsby@aol.com	68	12"
| multikv
| fields - _* linecount
``` the above emulates
index="myindex" sourcetype="hamlet" environment=staging
| top 10 client
```

Putting these two together, I get emulated result that is exactly like you wanted:

Percentage %	Requests	Users
21	118	joe.smith
14	80	martha.taylor
12	68	paul.gatsby

In other words, I cannot see why your original code shouldn't work. Maybe you can play with that emulation and compare with real data from top 10, and let us know the difference?

Naji · ‎07-26-2023

Thank you for your response. That query did not work for me at all. Here is what worked perfectly:

index="myindex" sourcetype="hamlet" environment=staging
| rex field=client mode=sed "s/"@aol.com"|"@gmail.com"/""/g"
| eval percent = round(percent)
| rename client AS "Users", count AS "Requests", percent AS "Percentage %"

In my case, I have one single domain to worry about.

yuanliu · ‎07-24-2023

Could you define "not working"? This is a phrase to be avoided in the best of situations, let alone in a forum where volunteers have no insight into your dataset. How do your data look like? What is the result that does not meet your requirement? Obviously the commands you used are suitable for the problem, so the problem must be caused by data. But without illustration of either data or actual result, it is impossible to tell what exactly is causing a problem.

The most common problem of this type comes from possible multivalue in clientId. To handle multivalued calculation, use mvmap, like

index="myindex" sourcetype="hamlet" environment=staging |
eval tmp = mvmap(clientId, split(clientId,"@")) | 
eval sender = mvmap(tmp, mvindex(tmp,0)) |
top limit=10 sender |
eval percent = round(percent) |
rename sender AS "Users", count AS "Plays", percent AS "Percentage %"

Naji · ‎07-25-2023

I edited my post for clarity. Thank you

How to Split a field that is the subject of a Top command?

eval

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?