Splunk Search

Merging values with similar

exocore123
Path Finder

I want to merge values with similar string context and still be able to reverse search for those logs. Similar to this

The stats count look something like this

error                                        count
invalid input                                  25
price "1.24" does not match "1.21"              1
price "1.00" does not match "1.01"              1
price "1.34" does not match "3.21"              1
external services                              15

I want it to look something like

error                                        count
invalid input                                  25
price * does not match *                        3
external services                              15

When say I want to find the logs matches "price __ does not match __ " I can see the list of specific logs combined

1 Solution

somesoni2
SplunkTrust
SplunkTrust

If you know all the patterns which you want to merge, like price "N1" does not match "N2", then you use use eval replace command before your stats command to make them similar.

Your base search before stats
| eval error=replace(error,"(price )\S+( does not match )\S+","\1*\2*")
| stats count by error

If it throws error, escape the asterisk with \ in replace command.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

If you know all the patterns which you want to merge, like price "N1" does not match "N2", then you use use eval replace command before your stats command to make them similar.

Your base search before stats
| eval error=replace(error,"(price )\S+( does not match )\S+","\1*\2*")
| stats count by error

If it throws error, escape the asterisk with \ in replace command.

exocore123
Path Finder

What happens if I know there are many string repetitions in the results? Someway to merge all of them together without having to do an eval for every string?

0 Karma

chiilii
Explorer

@exocore123 have you found the way to merge all of them without using an eval?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...