Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to replace an alphanumeric string in a fie...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to replace an alphanumeric string in a field?
saibalabadra
New Member
06-01-2018
04:10 PM
I have query to count the URIs but in some places there are dynamic values so I am trying to replace dynamic values with a character like '*' so that same URI pattern will be considered as one value and list the total count irrespective of dynamic value. I tried below query but it is replacing only numbers.
Ex:
Query: ....|stats count by URI
Actual Result:
URI Count
abc/xyz/1000/uvw 1
abc/xyz/2000/uvw 1
abc/xyz/3000/uvw 1
abc/xyz/def/uvw/1234/a1b2c3d4/rst 1
abc/xyz/def/uvw/5678/e5f6g7h8/rst 1
Expected Result:
URI Count
abc/xyz/*/uvw 3
abc/xyz/def/uvw/*/*/rst 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
06-02-2018
04:13 AM
@saibalabadra, please try to pipe the following eval and stats to your existing search:
<yourCurrentSearch>
| eval url_pattern=case(match(url,"abc\/xyz\/def\/uvw\/.*\/.*\/rst"),"abc/xyz/def/uvw/*/*/rst",match(url,"abc\/xyz\/.*\/uvw"),"abc/xyz/*/uvw")
| stats sum(count) as Count by url_pattern
Following is a run anywhere search based on sample data provided in the question
| makeresults
| eval data="abc/xyz/1000/uvw 1;abc/xyz/2000/uvw 1;abc/xyz/3000/uvw 1;abc/xyz/def/uvw/1234/a1b2c3d4/rst 1;abc/xyz/def/uvw/5678/e5f6g7h8/rst 1"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" "
| eval url=mvindex(data,0), count=mvindex(data,1)
| fields - _time data
| eval url_pattern=case(match(url,"abc\/xyz\/def\/uvw\/.*\/.*\/rst"),"abc/xyz/def/uvw/*/*/rst",match(url,"abc\/xyz\/.*\/uvw"),"abc/xyz/*/uvw")
| stats sum(count) as Count by url_pattern
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
saibalabadra
New Member
06-01-2018
09:29 PM
There are more variations but they are similar except that the position of dynamic values would very. I tried below rex command but it is replacing numbers only, if I update expression to consider alphanumeric then it is replacing all characters in the field and returning just slashes and asterisks.
|rex field=URI mode=sed "/s[0-9\s\t\n\v]+ | {2,} /* /g"
|stats count by URI
Result:
URI Count
abc/xyz//uvw 3
abc/xyz/def/uvw//a*b*c*d*/rst 1
abc/xyz/def/uvw//e*f*g*h/rst 1
|rex field=URI mode=sed "/s[a-zA-Z0-9\s\t\n\v]+ | {2,} /* /g"
|stats count by URI
URI Count
/// 3
//////* 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
06-01-2018
06:21 PM
Are those the only 2 specific patterns you need to handle, or are there more variations?
Get Updates on the Splunk Community!
Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco
The Defining Technology Movement of Our Lifetime
The advent of agentic AI is arguably the defining technology ...
Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data
In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...
Your summer travels continue with new course releases
Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
