- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to group uri strings inside a case stateme...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have three types of uris stored in a field called uri. The uris are as follows:
First type:
/a/b/c/1/d
/a/b/c/2/d
/a/b/c/3/d
/a/b/c/4/d
Second type:
/a/b/c/1/d/e
/a/b/c/2/d/e
/a/b/c/3/d/e
Third type:
/p/q/r/s/t/1/u/v/w
/p/q/r/s/t/2/u/v/w
I want to group them in case statement as:
eval uri=case( if uri is anything like /a/b/c/*/d then store "/a/b/c/x/d" in uri, if uri is anything like /a/b/c/*/d/e
then store /a/b/c/x/d/e in uri, if uri is anything like /p/q/r/s/t/*/u/v/w then store /p/q/r/s/t/x/u/v/w in uri)
Can anyone please assist to achieve this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gokadroid,
Can you please try this one?
| makeresults | eval uri="/a/b/c/1/d" | append [| makeresults | eval uri="/a/b/c/2/d"] | append [| makeresults | eval uri="/a/b/c/1/d/e"] | append [| makeresults | eval uri="/a/b/c/2/d/e"] | append [| makeresults | eval uri="/p/q/r/s/t/1/u/v/w"] | append [| makeresults | eval uri="/p/q/r/s/t/2/u/v/w"] | eval URI = case(like(uri,"/a/b/c/%%/d"),"/a/b/c/x/d",like(uri,"/a/b/c/%%/d/e"),"/a/b/c/x/d/e",like(uri,"/p/q/r/s/t/%%/u/v/w"),"/p/q/r/s/t/x/u/v/w")
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gokadroid, based on the details provided, please find the updated sample data and query. Command till mvexpand uri are to generate sample data.
Out of three patterns that you have provided two require string replacement at 4th position and longest one requires it at 6th position (it would have been quite easy if all of them where at 4th position ;)...but that we can only wish !!!).
So the approach I have taken is to
1) split() the uri by forward slash (/).
2) Then count total number of splits using mvcount(). Since there is a slash at the beginning of the string my count was 1 higher than the values. Nevertheless, our objective is to get longest string (i.e. 9 multi-value splits) vs other two smaller ones (i.e. 4 and 5 respectively).
3) Based on the the length set the index for field to be replaced as either 6 (for 9 multivalue splits) and 4 ( for less than 9 splits).
4) Extract the field to be replaced using mvindex(). So if the field to be replaced is abcdxyz1234, set it as /abcdxyz1234/ to be used in final replace command.
5) Make multivalued field as single value using nomv(). spaces (\s)
**6)** Replacecreated between combined multi-value field byforward slash (/)to make it back as single valueuri`.
7) Use concatenated final replace command to replace the string to be replaced with static string ( "/xyz" in the following example).
Following is the updated run anywhere search. Please try out and confirm.
| makeresults
| eval uri="/a/b/c/qFfs3-sds30s-sadsd2-qwewe/d;/a/b/c/12345678/d;/a/b/c/xxxxuyt8908/d;/a/b/c/abcdopi8765/d;/a/b/c/aDfp9-ret43w-poisd2-ewqewq/d/e;/a/b/c/65456374/d/e;/a/b/c/qweropi9089/d/e;/p/q/r/s/t/98765432/u/v/w;/p/q/r/s/t/aTyeu2-pot12y-popui2-abcert/u/v/w"
| makemv uri delim=";"
| mvexpand uri
| eval uri=split(uri,"/")
| eval url_parts=mvcount(uri)-1
| eval replace_idx=case(url_parts>=9,6,url_parts<9,4)
| eval url_replace="/".mvindex(uri,replace_idx)."/"
| nomv uri
| eval uri=replace(replace(uri,"\s","/"),url_replace,"/xyz/")
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gokadroid, what is x that you want to replace in URIs? Is it some static value?
Also 1, 2, 3 ... are these always digits? Is there any other section of URI containing only digits?
How about something like the following eval with replace():
| makeresults
| eval uri="/a/b/c/1/d;/a/b/c/2/d;/a/b/c/3/d;/a/b/c/4/d;/a/b/c/1/d/e;/a/b/c/2/d/e;/a/b/c/3/d/e;/p/q/r/s/t/1/u/v/w;/p/q/r/s/t/2/u/v/w"
| makemv uri delim=";"
| mvexpand uri
| eval uri_new=replace(uri,"\/(\d+)\/","/test/")
PS: Command until mvexpand mimics the sample data as per the question.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI NIketnilay,
I will try first one and let you know. However for the second comment-1,2,3 are not digits, nor static. They are an element of the uri which can be anything. Some sample of them are:
qFfs3-sds30s-sadsd2-qwewe
12345678
xxxxuyt8908
The replacement however can be static which we can choose to group them as like xxxx-xxxx-xxx-xxx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gokadroid,
Can you please try this one?
| makeresults | eval uri="/a/b/c/1/d" | append [| makeresults | eval uri="/a/b/c/2/d"] | append [| makeresults | eval uri="/a/b/c/1/d/e"] | append [| makeresults | eval uri="/a/b/c/2/d/e"] | append [| makeresults | eval uri="/p/q/r/s/t/1/u/v/w"] | append [| makeresults | eval uri="/p/q/r/s/t/2/u/v/w"] | eval URI = case(like(uri,"/a/b/c/%%/d"),"/a/b/c/x/d",like(uri,"/a/b/c/%%/d/e"),"/a/b/c/x/d/e",like(uri,"/p/q/r/s/t/%%/u/v/w"),"/p/q/r/s/t/x/u/v/w")
Thanks
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
