- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to replace an alphanumeric string in a field?
I have query to count the URIs but in some places there are dynamic values so I am trying to replace dynamic values with a character like '*' so that same URI pattern will be considered as one value and list the total count irrespective of dynamic value. I tried below query but it is replacing only numbers.
Ex:
Query: ....|stats count by URI
Actual Result:
URI Count
abc/xyz/1000/uvw 1
abc/xyz/2000/uvw 1
abc/xyz/3000/uvw 1
abc/xyz/def/uvw/1234/a1b2c3d4/rst 1
abc/xyz/def/uvw/5678/e5f6g7h8/rst 1
Expected Result:
URI Count
abc/xyz/*/uvw 3
abc/xyz/def/uvw/*/*/rst 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saibalabadra, please try to pipe the following eval and stats to your existing search:
<yourCurrentSearch>
| eval url_pattern=case(match(url,"abc\/xyz\/def\/uvw\/.*\/.*\/rst"),"abc/xyz/def/uvw/*/*/rst",match(url,"abc\/xyz\/.*\/uvw"),"abc/xyz/*/uvw")
| stats sum(count) as Count by url_pattern
Following is a run anywhere search based on sample data provided in the question
| makeresults
| eval data="abc/xyz/1000/uvw 1;abc/xyz/2000/uvw 1;abc/xyz/3000/uvw 1;abc/xyz/def/uvw/1234/a1b2c3d4/rst 1;abc/xyz/def/uvw/5678/e5f6g7h8/rst 1"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" "
| eval url=mvindex(data,0), count=mvindex(data,1)
| fields - _time data
| eval url_pattern=case(match(url,"abc\/xyz\/def\/uvw\/.*\/.*\/rst"),"abc/xyz/def/uvw/*/*/rst",match(url,"abc\/xyz\/.*\/uvw"),"abc/xyz/*/uvw")
| stats sum(count) as Count by url_pattern
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are more variations but they are similar except that the position of dynamic values would very. I tried below rex command but it is replacing numbers only, if I update expression to consider alphanumeric then it is replacing all characters in the field and returning just slashes and asterisks.
|rex field=URI mode=sed "/s[0-9\s\t\n\v]+ | {2,} /* /g"
|stats count by URI
Result:
URI Count
abc/xyz//uvw 3
abc/xyz/def/uvw//a*b*c*d*/rst 1
abc/xyz/def/uvw//e*f*g*h/rst 1
|rex field=URI mode=sed "/s[a-zA-Z0-9\s\t\n\v]+ | {2,} /* /g"
|stats count by URI
URI Count
/// 3
//////* 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are those the only 2 specific patterns you need to handle, or are there more variations?
