Splunk Search
Highlighted

How to create a new key-value pair from various fieldnames with a similar pattern?

Motivator

Hi,

my events can include a fieldname with a pattern like:

producttypea
producttypeb
producttypec

To group calculations by product type, I think about creating a new key-value pair like
type=producttypeA. I could use a CASE command, but then I need to know all producttype* that will appear in the future.
Is there a way to use something like COALESCE in combination with a wildcard or LIKE, to grab the first appearing fieldname as value?

Thanks in advance
Heinz

0 Karma
Highlighted

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

Legend

Hi HeinzWaescher,
could you detail your question?
you can group events by type using stats command, but you already know!
if you want, you could also populate a lookup with a scheduled search and list all the type values to use in your statistic searches.
Bye.
Giuseppe

0 Karma
Highlighted

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

Contributor

I'm not sure if I understand completely what your request is. Are you saying Splunk is extracting different product names from your events as their own individual fields? Could you provide a few samples of your events, and a screen shot? I may be able to help, but I'd need to see the data first.

0 Karma
Highlighted

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

Motivator

I would like to extract a new key value pair from fieldnames that can appear in the events.
Let's say we have 3 events, with these fieldnames and amounts.

event1: producttypea=5
event2: producttypeb=8
event:3 producttypec=10

What I want to do here, is to transform fieldnames with the pattern producttype* into values for the new field "type". So in the end, I have a new field per event

event1: type=producttypea
event2: type=producttypeb
event3: type=producttypec

0 Karma
Highlighted

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

Esteemed Legend

Like this:

| rex max_match=1 "(?<type>product_type_\w+)"

View solution in original post

0 Karma
Highlighted

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

Motivator

I tried that out but the search shows an error:

Error in 'SearchOperator:regex': Usage: regex (=|!=)

0 Karma
Highlighted

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

Esteemed Legend

I had a typo! I meant rex, not regex! Try the fixed answer now!

0 Karma
Highlighted

Re: How to create a new key-value pair from various fieldnames with a similar pattern?

Contributor

Hi,

Sounds like your just looking to use the rex command. So either of these depending on what format you want:

| rex "product_type_(?<type>[^\s]+)"

or

| rex "(?<type2>product_type_[^\s]+)"

Which would look like this:

alt text

0 Karma