Splunk Search

Is there a way to search for a list of strings, and for each match, put that string as the value of the same field?

Lucas_Henry_
New Member

Is there a way to search for a list of strings, and for each match, put that string as the value of the same field?

edit: here's what I'm trying to do
ie, "eval myField=( "value1", "value2", "value3") | stats count by myField"

Where "value1", "value2", "value3" are literal strings.

I want to get a count for how many "value1"s, "value2"s, and "value3"s there are

0 Karma
1 Solution

woodcock
Esteemed Legend

OK, assuming that the problem is that a field called errorMsg does not exist, try this:

index=its_akana* source="/apps/logs/*" host=ent5*ll5app ("at the below stack trace. Not closed in the same method" OR
"Cannot get a connection, pool exhausted" OR
"com.digev.fw.exception.GException: Execution of a DB command failed" OR
"com.digev.fw.exception.GException: javax.wsdl.WSDLException: WSDLException: faultCode=OTHER_ERROR" OR
"com.mongodb.MongoSocketOpenException" OR
"com.mongodb.MongoTimeoutException" OR
"Data truncation" OR
"ERROR [DBStatementAndResultSetTracker] PreparedStatementTracker" OR
"Error encountered in WS-Security engine" OR
"Error in creating Prepared statement for the query" OR
"federation member auth token cannot be refreshed" OR
"GC overhead limit exceeded" OR
"Illegal character" OR
"java.lang.NullPointerException at com.soa.jbi.component.http.marshal.impl.OutgoingExchangeInitializer" OR
"java.lang.StackOverflowError" OR
"Log block not closed correctly. Enable log block tracking to see diagnostic information" OR
"Log frame is closed at the below stack trace" OR
"No corresponding startTraceBlock() is seen" OR
"No key found in WSDL for service" OR
"No process found" OR
"No Subject is associated with the call. Only Container identities can invoke this call. Returning authorization error" OR
"OutOfMemoryError" OR
"Timeout waiting for idle object" OR
"Unable to initialize SiteMinder agent" OR
"UsageJDBCWriter.writeUsage" OR
"Wsdl does not conform to wsdl schema" OR
"org.elasticsearch.action.UnavailableShardsException" OR
"None of the configured nodes are available") 

| rename COMMENT AS "You can get rid of the following line if you ever get the field extraction working"
| rex "(?<errorMsg>at the below stack trace. Not closed in the same method|Cannot get a connection, pool exhausted|com.digev.fw.exception.GException: Execution of a DB command failed|com.digev.fw.exception.GException: javax.wsdl.WSDLException: WSDLException: faultCode=OTHER_ERROR|com.mongodb.MongoSocketOpenException|com.mongodb.MongoTimeoutException|Data truncation|ERROR [DBStatementAndResultSetTracker] PreparedStatementTracker|Error encountered in WS-Security engine|Error in creating Prepared statement for the query|federation member auth token cannot be refreshed|GC overhead limit exceeded|Illegal character|java.lang.NullPointerException at com.soa.jbi.component.http.marshal.impl.OutgoingExchangeInitializer|java.lang.StackOverflowError|Log block not closed correctly. Enable log block tracking to see diagnostic information|Log frame is closed at the below stack trace|No corresponding startTraceBlock() is seen|No key found in WSDL for service|No process found|No Subject is associated with the call. Only Container identities can invoke this call. Returning authorization error|OutOfMemoryError|Timeout waiting for idle object|Unable to initialize SiteMinder agent|UsageJDBCWriter.writeUsage|Wsdl does not conform to wsdl schema|org.elasticsearch.action.UnavailableShardsException|None of the configured nodes are available)"

| chart count BY host errorMsg

View solution in original post

0 Karma

koshyk
Super Champion

Not quite clear from your question, but an example would be helpful.

But just a guess, are you looking for something like this ? https://answers.splunk.com/answers/103700/how-do-i-create-a-field-whose-name-is-the-value-of-another...

|makeresults| eval aKey="Field1" | eval aValue=123 | eval {aKey}=aValue | table aKey,aValue,Field1
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you please post some sudo query on what you want to achieve, possible with some examples?

0 Karma

Lucas_Henry_
New Member

ie, "eval myField=( "value1", "value2", "value3") | stats count by myField"

Where "value1", "value2", "value3" are literal strings.

I want to get a count for how many "value1"s, "value2"s, and "value3"s there are

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How are the values for string "value1", "value2"... coming, static/fix string or dynamically?

If they are static/fixed and limited, something like this would work.

...| eval myField=if(match(myField,"value1"),"value1", match(myField,"value2"),"value2", match(myField,"value3"),"value3") | stats count by myField

If they are move in number, you can put them in a lookup table file say myfield_value.csv with column name as myfieldvalue, and try like this

...| lookup myfield_value.csv myfieldvalue as myField OUTPUT myfieldvalue as myField  | stats count by myField
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...