Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replace a value in a multivalue field?

jmedved
Explorer
‎02-19-2016 02:28 PM

I am trying to report on user web activity to a particular category as well as list the URLs in that category. I have the following so far.

Search...
| eval MB = bytes_to_server/1024/1024
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

This works, but I would like to consolidate some of the URLs. For example, I would like to just make lb1.cloudsite.com, lb2.cloudsite.com, etc into 1 url of cloudsite.com

I attempted using the following eval and it works, but I am left with no other results. I read up on the case function and I understand why it does that, but I am still looking for another function that will do that as well as leave me with the other results that do not match.

| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com")
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 02:33 PM

YOu need to provide the default value for the case so that if it's not matching cloudsite.com, to use current URL value. Something like this

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com",1=1,url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

SInce you're using just one condition, you can use if condition as well.

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=if(searchmatch("*.cloudsite.com"), "cloudsite.com",url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 02:33 PM

YOu need to provide the default value for the case so that if it's not matching cloudsite.com, to use current URL value. Something like this

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com",1=1,url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

SInce you're using just one condition, you can use if condition as well.

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=if(searchmatch("*.cloudsite.com"), "cloudsite.com",url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-22-2016 08:46 AM

Instead of 1==1, I use true().

Reply
Solved! Jump to solution

jmedved
Explorer
‎02-23-2016 01:28 PM

Thanks somesoni2! This worked for me. I don't know the difference between 1==1 and true(), but 1==1 seems to be doing the trick.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-23-2016 01:32 PM

Both 1=1 and True() generate boolean true (always), means if any of prior conditions are not true, the value following 1=1 OR true() will be used.

I would say true() will be more efficient method as it's generating boolean true without any evaluation.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...