- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add string on a field value?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys!
I am creating a table with number of errors per robot. The field values of these robots are "IGH2001", "IGH2002" and "IGH2003".
I used a rex command and was able to extract the last 3 digits which are 001, 002 and 003.
Now, I wanted to add "Robot" in front of the 3 digits to have field values of Robot 001 Robot 002 Robot 003.
How can I do that?
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @auaave,
Can you please try something like this, first 4 lines used to generate dummy data only.
| makeresults
| eval field1="001"
| append [ | makeresults | eval field1="002"]
| append [ | makeresults | eval field1="003"]
| eval newfield="Robot"." ".field1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @auaave,
Can you please try something like this, first 4 lines used to generate dummy data only.
| makeresults
| eval field1="001"
| append [ | makeresults | eval field1="002"]
| append [ | makeresults | eval field1="003"]
| eval newfield="Robot"." ".field1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harsmarvania57, thanks for your reply! Based on your input, I have written the code as per below. However, I am having this error "Error in 'makeresults' command: This command must be the first command of a search. "
| chart count(IDEVENT) as ERROR_QTY by ERROR_DESC
| rex field=ROBOT "(?(0\d+))"
| makeresults
| eval field1="001"
| append
[| makeresults
| eval field1="002"]
| append
[| makeresults
| eval field1="003"]
| eval newfield="Robot"." ".field1
| sort ERROR_QTY DESC LIMIT=10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query which I had provided was generating dummy data so you do not require first 4 lines from my query . Now based on query you have provided, you are not capturing regex output in any field, try something like this (But I am bit surprised that in chart command you are not using field ROBOT then how can you use ROBOT field in rex command after chart command ??
| rex field=ROBOT "(?<extracted_field>(0\d+))"
| eval extracted_field="Robot"." ".extracted_field
| chart count(IDEVENT) as ERROR_QTY, values(extracted_field) as extracted_field by ERROR_DESC
| sort ERROR_QTY DESC LIMIT=10
In above query 001, 002, 003 ... will store into new field called extracted_field and after that we are concatenating Robot with output value in that field.
EDIT: Updated query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harsmarvia57, thanks a lot! the last one worked!! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
