Splunk Search

How to use regex on field names?

tamakg
Path Finder

For example.

Is there any way to convert this:

alt text

into this?

Don't care about the numbers but the value of the second column (new) is a substr of the previous headers. Of course there are many other different "Disks".

alt text

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

your current search giving table in first screenshot
| untable _time fieldname fieldval
| eval fieldname=replace(fieldname,"^(.+_)(Avg_.+)","\2") 
| xyseries _time fieldname fieldval

If above works for you, look at definition of untable/xyseries command here, to understand the usage better:
http://docs.splunk.com/Documentation/SplunkLight/7.1.2/References/Listofsearchcommands

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this

your current search giving table in first screenshot
| untable _time fieldname fieldval
| eval fieldname=replace(fieldname,"^(.+_)(Avg_.+)","\2") 
| xyseries _time fieldname fieldval

If above works for you, look at definition of untable/xyseries command here, to understand the usage better:
http://docs.splunk.com/Documentation/SplunkLight/7.1.2/References/Listofsearchcommands

tamakg
Path Finder

Almost there. Missing the "removed field prefix" as a new column value.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I didn't understand. What are you getting now and what's expected?

0 Karma

jodyfsu
Path Finder

If you can provide a sample event we can probably figure this out.

0 Karma

tamakg
Path Finder
0 Karma

jodyfsu
Path Finder
| rex field=PhysicalDisk_0_C_Avg__Disk_Bytes_Read "(?<DRIVE>\w+\_\d\_\w)\_(?<AVDBR>.[^\s]+)"
0 Karma

jodyfsu
Path Finder

See if that works.

0 Karma

tamakg
Path Finder

Nope. New fields are empty...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...