Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Merging with similar strings without eval

chiilii
Explorer
‎04-29-2020 09:25 PM

Hi All,

I would like to combine similar strings (with different field values) in my data.

The data I have now:

Error | Count (yesterday) | Count (today)
Low ink on printer A | 10 | 0
Invalid input on line 1 | 5 | 2
Invalid input on line 2 | 4 | 4
Low ink on printer B | 6 | 3
Service crash on App1 | 1 | 0

What I want to have:

Error Type | Count (yesterday) | Count (today)
Low ink on printer * | 16 | 3
Invalid input on line * | 9 | 6
Service crash on * | 1 | 0

Note: I may have thousands of error type that needs to be combined.
Is it possible to achieve without having to eval every string?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-01-2020 04:37 PM 
| makeresults 
| eval _raw="Error,Count_yesterday,Count_today
Low ink on printer A , 10 , 0
Invalid input on line 1 , 5 , 2
Invalid input on line 2 , 4 , 4
Low ink on printer B , 6 , 3
Service crash on App1 , 1 , 0"
| rex mode=sed "s/(?m)^\s+//g" 
| multikv forceheader=1
| table E* C*
| rename COMMENT as "this is sample"

| rex field=Error mode=sed "s/^((?<Msg>.+)\s)\S+/\1*/"

| stats sum(Count_yesterday) as Count_yesterday sum(Count_today) as Count_today by Error

well, do not use eval is hard.

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-01-2020 04:37 PM 
| makeresults 
| eval _raw="Error,Count_yesterday,Count_today
Low ink on printer A , 10 , 0
Invalid input on line 1 , 5 , 2
Invalid input on line 2 , 4 , 4
Low ink on printer B , 6 , 3
Service crash on App1 , 1 , 0"
| rex mode=sed "s/(?m)^\s+//g" 
| multikv forceheader=1
| table E* C*
| rename COMMENT as "this is sample"

| rex field=Error mode=sed "s/^((?<Msg>.+)\s)\S+/\1*/"

| stats sum(Count_yesterday) as Count_yesterday sum(Count_today) as Count_today by Error

well, do not use eval is hard.

Reply
Solved! Jump to solution

erica
Explorer
‎11-30-2021 02:16 AM

Hello! 

I love your solution, but any idea how my rex string should be if my difference is in the middle of the string? 

 

Error String Example 1: 

No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomething. Please write a rule *

No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomethingElse. Please write a rule *

No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomethingElseElse. Please write a rule *

 

Error String Example 2

Locale is null for the language, es with ec, com.EditingContext@1y3y1u3e. Skip this *

Locale is null for the language, en with ec, com.ITEditingContext@2y5f3u3e. Skip this *

  

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-29-2020 10:12 PM

@chiilii

Can you please try this ?

YOUR_SEARCH 
| rex field=Error mode=sed "s/\s(?<last>\w+)$/ * /g" max_match=0
| rex field=Error mode=sed "s/^(\d)\.\s//g" max_match=0
| stats sum("Count (yesterday)") as "Count (yesterday)" sum("Count (today)") as "Count (today)" by Error

Sample Search:

| makeresults 
| eval _raw=" Error Count (yesterday)   Count (today)
1. Low ink on printer A 10  0
2. Invalid input on line 1  5   2
3. Invalid input on line 2  4   4
4. Low ink on printer B 6   3
5. Service crash on App1    1   0" 
| multikv forceheader=1 
| rename Count__yesterday_ as "Count (yesterday)", Count__today_ as "Count (today)" 
| table Error "Count (yesterday)" "Count (today)" 
| rename comments as "this is for sample data only" 
| rex field=Error mode=sed "s/\s(?<last>\w+)$/ * /g" max_match=0
| rex field=Error mode=sed "s/^(\d)\.\s//g" max_match=0
| stats sum("Count (yesterday)") as "Count (yesterday)" sum("Count (today)") as "Count (today)" by Error

Thanks

0 Karma
Reply
Solved! Jump to solution

chiilii
Explorer
‎05-01-2020 08:53 AM

thanks @kamlesh_vaghela, I like how you used regex here. But what if I have a new error that has string like "Low ink on printer A and needs cartridge replacement", the outcome I'm expecting is "Low ink on printer * and needs cartridge replacement"? Would there be better way for this?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-29-2020 10:12 PM

Error is digit + type description ?

0 Karma
Reply
Solved! Jump to solution

chiilii
Explorer
‎05-01-2020 07:47 AM

@to4kawa sorry for the confusion, removed the digit

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...