Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to replace a value in a multivalue field?

jmedved
Explorer
‎02-19-2016 02:28 PM

I am trying to report on user web activity to a particular category as well as list the URLs in that category. I have the following so far.

Search...
| eval MB = bytes_to_server/1024/1024
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

This works, but I would like to consolidate some of the URLs. For example, I would like to just make lb1.cloudsite.com, lb2.cloudsite.com, etc into 1 url of cloudsite.com

I attempted using the following eval and it works, but I am left with no other results. I read up on the case function and I understand why it does that, but I am still looking for another function that will do that as well as leave me with the other results that do not match.

| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com")
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 02:33 PM

YOu need to provide the default value for the case so that if it's not matching cloudsite.com, to use current URL value. Something like this

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com",1=1,url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

SInce you're using just one condition, you can use if condition as well.

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=if(searchmatch("*.cloudsite.com"), "cloudsite.com",url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 02:33 PM

YOu need to provide the default value for the case so that if it's not matching cloudsite.com, to use current URL value. Something like this

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com",1=1,url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

SInce you're using just one condition, you can use if condition as well.

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=if(searchmatch("*.cloudsite.com"), "cloudsite.com",url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-22-2016 08:46 AM

Instead of 1==1, I use true().

Reply
Solved! Jump to solution

jmedved
Explorer
‎02-23-2016 01:28 PM

Thanks somesoni2! This worked for me. I don't know the difference between 1==1 and true(), but 1==1 seems to be doing the trick.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-23-2016 01:32 PM

Both 1=1 and True() generate boolean true (always), means if any of prior conditions are not true, the value following 1=1 OR true() will be used.

I would say true() will be more efficient method as it's generating boolean true without any evaluation.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...