Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to properly extract fields using regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a following field in my data
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
This means that I have 3 types of cells in this particular event (cell names are dynamic).
How can I split this up so that it is like :
cells : "aN20%title", cells : "basic%ipin", cells : "basic%opin"
so that a command such as
stats count by cells
will produce the following list (can be used to populate dropdowns):
aN20%title
basic%ipin
basic%opin
I also would like to filter my cells, for example:
cells="aN20%title" OR cells="basic%ipin"
This would return all events that have either aN20%title or basic%ipin showing up in the cells field
The "=X" ("=1" in "aN20%title=1") is the number of instances that this type of cell appears.
I would need to be able to add this column with stats sum by cells command.
For example:
if I had 2 events
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
cells : "< aN20%title=2| basic%ipin=2> "
and I wanted to see the sum of the cells, I would receive
aN20%title : 3
basic%ipin : 9
basic%opin : 1
Thus, what is the best way to split this "cells" field up so that I can perform such commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Given that your initial field is called celldata and contains :
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
This will split out the data into individual events you can massage with stats :
... | rex max_match=100 field=celldata "(?<key>[\S]+=\d+)"
| table _time key <other interesting fields here>
| mvexpand key
| rex field=key "(?<key>[^=]+)=(?<val>.*)"
optionally :
| stats sum(val) by key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Given that your initial field is called celldata and contains :
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
This will split out the data into individual events you can massage with stats :
... | rex max_match=100 field=celldata "(?<key>[\S]+=\d+)"
| table _time key <other interesting fields here>
| mvexpand key
| rex field=key "(?<key>[^=]+)=(?<val>.*)"
optionally :
| stats sum(val) by key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is amazing, thanks :).
Just to let anyone who reads this know,
it should be field=cells instead of celldata (just to eliminate any confusion)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
