Solved: Re: If field matches regex then make the value foo

aaronnicoli · ‎08-30-2012

Okay so,

I have a field, "basedomain".
This contains a huge list of data such as:

google.com
facebook.com
google.com.au
fbcdn.net
google.co.uk

Now, I wish to rename like values...
So that, anything that matches this regex assumes the value "google".

ie. (google.com|google.com.au|google.co.uk)
if it matches that regex, then the value becomes simply "google"

I would then create another regex for facebook and so on.

Now, I understand I could just match on google, but as you can see that wouldn't work for facebook.

I'm trying to combine access stats cross domain to single sites, for instance so I can see how much traffic is going to any google services as a whole.

Am I looking in the wrong direction or is this possible???

Thanks,
Aaron.

dwaddle · ‎08-30-2012

This is perhaps easiest with a lookup table. You can build a lookup table of the form:

basedomain,service_name
google.com,google
google.com.au,google
google.co.uk,google
facebook.com,facebook
fbcdn.com,facebook

And, from there, you should be able to use the lookup command to "mark up" each value of basedomain with its related service_name, and then you can do your stats operations against the service_name.

View solution in original post

aaronnicoli · ‎08-30-2012

Okay, seems I am now part way there with the lookup table...

I have the lookup table like so:

basedomain,domaingroup
google.com,google
google.com.au,google

And have configured the lookup like this:

common_domains basedomain AS basedomain OUTPUTNEW domaingroup AS domaingroup

The problem I have is this, I can now only print domains that are specifically listed in the lookup table, so if I have yahoo.com come through it's not displayed because it's not in the lookup table...

I have tried playing with the field names and rewriting the actual basedomain field values themselves but without any success.

Once again, it would be great if someone could point me in the right direction...

This is the desired input and output:

Input:

35MB google.com.au
12MB google.com
4MB yahoo.com
3MB fbcdn.net
1MB google.co.uk

And the desired output:

48MB google
4MB yahoo.com
3MB fbcdn.net

Thanks again,
Aaron.

aaronnicoli · ‎08-30-2012

Thank you thank you thank you!!!

Really appreciate the input, hit the nail on the head!

gkanapathy · ‎08-30-2012

just add ... | eval domaingroup=coalesce(domaingroup,basedomain) after the lookup, and before your stats.

dwaddle · ‎08-30-2012

This is perhaps easiest with a lookup table. You can build a lookup table of the form:

basedomain,service_name
google.com,google
google.com.au,google
google.co.uk,google
facebook.com,facebook
fbcdn.com,facebook

And, from there, you should be able to use the lookup command to "mark up" each value of basedomain with its related service_name, and then you can do your stats operations against the service_name.

aaronnicoli · ‎08-30-2012

Fantastic, lookup tables, I have never used them but this seems like the perfect place to start!

Thank you!

If field matches regex then make the value foo

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk