Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a new key-value pair from various fieldnames with a similar pattern?

HeinzWaescher
Motivator
‎02-07-2017 02:37 AM

Hi,

my events can include a fieldname with a pattern like:

product_type_a
product_type_b
product_type_c

To group calculations by product type, I think about creating a new key-value pair like
type=product_type_A. I could use a CASE command, but then I need to know all product_type_* that will appear in the future.
Is there a way to use something like COALESCE in combination with a wildcard or LIKE, to grab the first appearing fieldname as value?

Thanks in advance
Heinz

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-07-2017 02:03 PM

Like this:

| rex max_match=1 "(?<type>product_type_\w+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gvmorley
Contributor
‎02-08-2017 02:32 AM

Hi,

Sounds like your just looking to use the rex command. So either of these depending on what format you want:

| rex "product_type_(?<type>[^\s]+)"

or

| rex "(?<type2>product_type_[^\s]+)"

Which would look like this:

alt text

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-07-2017 02:03 PM

Like this:

| rex max_match=1 "(?<type>product_type_\w+)"
0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎02-08-2017 02:09 AM

I tried that out but the search shows an error:

Error in 'SearchOperator:regex': Usage: regex (=|!=)

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-08-2017 09:58 AM

I had a typo! I meant rex, not regex! Try the fixed answer now!

0 Karma
Reply
Solved! Jump to solution

adayton20
Contributor
‎02-07-2017 04:28 AM

I'm not sure if I understand completely what your request is. Are you saying Splunk is extracting different product names from your events as their own individual fields? Could you provide a few samples of your events, and a screen shot? I may be able to help, but I'd need to see the data first.

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎02-08-2017 02:08 AM

I would like to extract a new key value pair from fieldnames that can appear in the events.
Let's say we have 3 events, with these fieldnames and amounts.

event1: product_type_a=5
event2: product_type_b=8
event:3 product_type_c=10

What I want to do here, is to transform fieldnames with the pattern product_type_* into values for the new field "type". So in the end, I have a new field per event

event1: type=product_type_a
event2: type=product_type_b
event3: type=product_type_c

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-07-2017 02:52 AM

Hi HeinzWaescher,
could you detail your question?
you can group events by type using stats command, but you already know!
if you want, you could also populate a lookup with a scheduled search and list all the type values to use in your statistic searches.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top