Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a field from value of an existing field?

rwiley
Explorer
‎12-01-2016 07:57 AM

i have this search

index=cmedia sourcetype="adspecificsnmp" 
 | rex field=_raw mode=sed "s/=,/=NA,/g"
 | rex field=_raw max_match=0 "(?(\d+\.)+)(?\d+)=(?[^,]+)"
 | eval tempString=mvzip(sP, (mvzip (sS, sV, "~")), "~")
 | mvexpand tempString
 | rex field=tempString "(?[^~]+)~(?[^~]+)~(?(.*))"
 | eval myString=stringPrefix."".stringSuffix
 | lookup ACMCodes.csv Suffix as stringSuffix OUTPUT Description as description
 | table description, stringValue

this is partial result. there are 28 values in all

     description,                  stringValue
1   Version ,                   2
2   Box ,                       0
3   Port    ,                      0
4   NodeNumber,                 1
5   PositioinofSpot,               1
6   ScheduleSpotPosition,         1
7   EventPosition,               4
8   FramesPerSec,                 30
9   Owner,                       0

i need the description as a field with value of stringValue

Version ,       Box ,         Port,            NodeNumber,         PositionofSpot,
      2 ,         0 ,           0 ,                    1 ,                     1 ,

i hope this makes sense

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Flynt
Splunk Employee
Splunk Employee
‎12-01-2016 01:02 PM

A bit shoestringed here but what if you try

|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

For example in the following test search -

|stats count|fields - count|eval description="Version ,", stringValue="2"|append [|stats count|fields - count|eval description="Box ,", stringValue="0"]|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

Version and Box should show up in the same row.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-02-2016 12:32 AM

Hi rwiley,
did you tried with the transpose command?
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

Flynt
Splunk Employee
Splunk Employee
‎12-01-2016 01:02 PM

A bit shoestringed here but what if you try

|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

For example in the following test search -

|stats count|fields - count|eval description="Version ,", stringValue="2"|append [|stats count|fields - count|eval description="Box ,", stringValue="0"]|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

Version and Box should show up in the same row.

0 Karma
Reply
Solved! Jump to solution

rwiley
Explorer
‎12-07-2016 05:48 AM

thanks Flynt! just what i needed. sorry to take so long on reply. got pulled to another project.

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎12-01-2016 12:42 PM

How about you try |eval {description,}=stringValue right at the end which will create a field name for each description, which it sees and then tabulate that using | table (*,)
Explanation here for the eval expression above

 index=cmedia sourcetype="adspecificsnmp" 
  | rex field=_raw mode=sed "s/=,/=NA,/g"
  | rex field=_raw max_match=0 "(?(\d+\.)+)(?\d+)=(?[^,]+)"
  | eval tempString=mvzip(sP, (mvzip (sS, sV, "~")), "~")
  | mvexpand tempString
  | rex field=tempString "(?[^~]+)~(?[^~]+)~(?(.*))"
  | eval myString=stringPrefix."".stringSuffix
  | lookup ACMCodes.csv Suffix as stringSuffix OUTPUT Description as description
  | eval {description,}=stringValue
  | table (*,)
0 Karma
Reply
Solved! Jump to solution

rwiley
Explorer
‎12-01-2016 12:57 PM

This works. but it doesn't bring it in in one row. it brings in the value for stringValue but the rest of the row is empty.

example:
Date SpotID Zone Channel
1 date

2 478393
3 CNN
4 zone

i was hoping to get this
Date SpotID Zone Channel
1 date 478393 zone CNN

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
li.common.scroll-to.top