my events can include a fieldname with a pattern like:
To group calculations by product type, I think about creating a new key-value pair like
type=producttypeA. I could use a CASE command, but then I need to know all producttype* that will appear in the future.
Is there a way to use something like COALESCE in combination with a wildcard or LIKE, to grab the first appearing fieldname as value?
Thanks in advance
could you detail your question?
you can group events by type using stats command, but you already know!
if you want, you could also populate a lookup with a scheduled search and list all the type values to use in your statistic searches.
I'm not sure if I understand completely what your request is. Are you saying Splunk is extracting different product names from your events as their own individual fields? Could you provide a few samples of your events, and a screen shot? I may be able to help, but I'd need to see the data first.
I would like to extract a new key value pair from fieldnames that can appear in the events.
Let's say we have 3 events, with these fieldnames and amounts.
What I want to do here, is to transform fieldnames with the pattern producttype* into values for the new field "type". So in the end, I have a new field per event
I tried that out but the search shows an error:
Error in 'SearchOperator:regex': Usage: regex (=|!=)