Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to properly extract fields using regex
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmak
Contributor
03-25-2013
10:06 AM
I have a following field in my data
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
This means that I have 3 types of cells in this particular event (cell names are dynamic).
How can I split this up so that it is like :
cells : "aN20%title", cells : "basic%ipin", cells : "basic%opin"
so that a command such as
stats count by cells
will produce the following list (can be used to populate dropdowns):
aN20%title
basic%ipin
basic%opin
I also would like to filter my cells, for example:
cells="aN20%title" OR cells="basic%ipin"
This would return all events that have either aN20%title or basic%ipin showing up in the cells field
The "=X" ("=1" in "aN20%title=1") is the number of instances that this type of cell appears.
I would need to be able to add this column with stats sum by cells command.
For example:
if I had 2 events
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
cells : "< aN20%title=2| basic%ipin=2> "
and I wanted to see the sum of the cells, I would receive
aN20%title : 3
basic%ipin : 9
basic%opin : 1
Thus, what is the best way to split this "cells" field up so that I can perform such commands.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonuwz
Influencer
03-25-2013
10:52 AM
Given that your initial field is called celldata and contains :
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
This will split out the data into individual events you can massage with stats :
... | rex max_match=100 field=celldata "(?<key>[\S]+=\d+)"
| table _time key <other interesting fields here>
| mvexpand key
| rex field=key "(?<key>[^=]+)=(?<val>.*)"
optionally :
| stats sum(val) by key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonuwz
Influencer
03-25-2013
10:52 AM
Given that your initial field is called celldata and contains :
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
This will split out the data into individual events you can massage with stats :
... | rex max_match=100 field=celldata "(?<key>[\S]+=\d+)"
| table _time key <other interesting fields here>
| mvexpand key
| rex field=key "(?<key>[^=]+)=(?<val>.*)"
optionally :
| stats sum(val) by key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmak
Contributor
03-25-2013
11:02 AM
This is amazing, thanks :).
Just to let anyone who reads this know,
it should be field=cells instead of celldata (just to eliminate any confusion)
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
