Solved: Re: How to use regex on field names?

tamakg · ‎09-11-2018

For example.

Is there any way to convert this:

into this?

Don't care about the numbers but the value of the second column (new) is a substr of the previous headers. Of course there are many other different "Disks".

somesoni2 · ‎09-11-2018

Try like this

your current search giving table in first screenshot
| untable _time fieldname fieldval
| eval fieldname=replace(fieldname,"^(.+_)(Avg_.+)","\2") 
| xyseries _time fieldname fieldval

If above works for you, look at definition of untable/xyseries command here, to understand the usage better:
http://docs.splunk.com/Documentation/SplunkLight/7.1.2/References/Listofsearchcommands

View solution in original post

somesoni2 · ‎09-11-2018

Try like this

your current search giving table in first screenshot
| untable _time fieldname fieldval
| eval fieldname=replace(fieldname,"^(.+_)(Avg_.+)","\2") 
| xyseries _time fieldname fieldval

If above works for you, look at definition of untable/xyseries command here, to understand the usage better:
http://docs.splunk.com/Documentation/SplunkLight/7.1.2/References/Listofsearchcommands

tamakg · ‎09-11-2018

Almost there. Missing the "removed field prefix" as a new column value.

somesoni2 · ‎09-11-2018

I didn't understand. What are you getting now and what's expected?

jodyfsu · ‎09-11-2018

If you can provide a sample event we can probably figure this out.

tamakg · ‎09-11-2018

Here is the sample: https://1drv.ms/u/s!AsmV0Jvla5SrgW-CydStfrht3ep6

jodyfsu · ‎09-11-2018

| rex field=PhysicalDisk_0_C_Avg__Disk_Bytes_Read "(?<DRIVE>\w+\_\d\_\w)\_(?<AVDBR>.[^\s]+)"

jodyfsu · ‎09-11-2018

See if that works.

tamakg · ‎09-11-2018

Nope. New fields are empty...

How to use regex on field names?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms