Splunk Search

How to replace a value in a multivalue field?

Explorer

I am trying to report on user web activity to a particular category as well as list the URLs in that category. I have the following so far.

Search...
| eval MB = bytes_to_server/1024/1024
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

This works, but I would like to consolidate some of the URLs. For example, I would like to just make lb1.cloudsite.com, lb2.cloudsite.com, etc into 1 url of cloudsite.com

I attempted using the following eval and it works, but I am left with no other results. I read up on the case function and I understand why it does that, but I am still looking for another function that will do that as well as leave me with the other results that do not match.

| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com")
0 Karma
1 Solution

SplunkTrust
SplunkTrust

YOu need to provide the default value for the case so that if it's not matching cloudsite.com, to use current URL value. Something like this

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com",1=1,url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

SInce you're using just one condition, you can use if condition as well.

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=if(searchmatch("*.cloudsite.com"), "cloudsite.com",url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

View solution in original post

SplunkTrust
SplunkTrust

YOu need to provide the default value for the case so that if it's not matching cloudsite.com, to use current URL value. Something like this

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com",1=1,url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

SInce you're using just one condition, you can use if condition as well.

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=if(searchmatch("*.cloudsite.com"), "cloudsite.com",url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

View solution in original post

Esteemed Legend

Instead of 1==1, I use true().

Explorer

Thanks somesoni2! This worked for me. I don't know the difference between 1==1 and true(), but 1==1 seems to be doing the trick.

0 Karma

SplunkTrust
SplunkTrust

Both 1=1 and True() generate boolean true (always), means if any of prior conditions are not true, the value following 1=1 OR true() will be used.

I would say true() will be more efficient method as it's generating boolean true without any evaluation.