Solved: Rename group by value

shangshin · ‎08-20-2012

Hi,
I am using splunk to monitor the performance of a number of long urls and the search strring is like :

| stats max(time_in_sec), perc90(time_in_sec), perc75(time_in_sec), perc50(time_in_sec), avg(time_in_sec), min(time_in_sec), stdev(time_in_sec) by ping_url

It's working fine but the url is too long to fit in the dashboard. I am wondering if there is a way to function to display the short name in the result? Thanks!

e.g. RENAME www.google.com AS Google

kristian_kolb · ‎08-20-2012

I can see a few options;

If you have a large number of URLs you can extract the significant portion with the substr function.

... | eval shorty = substr(url,40) | the_rest_of_your_search by shorty

If you have a few loooong but fairly static urls you can set up a case evaluation

...| eval shorty = case(url == "/long/url/number1", "long1", url == "/long/url/number2", long2, url == "really/long/url/number/3", "long3") | the_rest_of_your_search by shorty

See the docs for eval for more info.

If all your URLs start the same way, e.g. /this/is/the/base/directory/in/all/urls/for/the/site/page1.htm, you can make a field extraction that skips the redundant levels (or as Ayn suggests, use replace).

Hope this helps somewhat,

Kristian

edit: update, spelling

View solution in original post

GKC · ‎12-18-2012

I would really recommend the use of lookup tables here, that way you can always add/modidy/delete any entries there that you may use in your searches. This way you can configure in an eficient way how you want each url to be displayed in order to be readable too.

Here it is some easy to follow info on the subjetc:
http://docs.splunk.com/Documentation/Splunk/5.0/knowledge/Addfieldsfromexternaldatasources

kristian_kolb · ‎08-20-2012

I can see a few options;

If you have a large number of URLs you can extract the significant portion with the substr function.

... | eval shorty = substr(url,40) | the_rest_of_your_search by shorty

If you have a few loooong but fairly static urls you can set up a case evaluation

...| eval shorty = case(url == "/long/url/number1", "long1", url == "/long/url/number2", long2, url == "really/long/url/number/3", "long3") | the_rest_of_your_search by shorty

See the docs for eval for more info.

If all your URLs start the same way, e.g. /this/is/the/base/directory/in/all/urls/for/the/site/page1.htm, you can make a field extraction that skips the redundant levels (or as Ayn suggests, use replace).

Hope this helps somewhat,

Kristian

edit: update, spelling

c48571 · ‎05-01-2020

What does the 40 stand for in substr(url,40)?

to4kawa · ‎05-01-2020

@c48571
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/TextFunctions#substr.28X.2CY.2CZ...

see reference

and try googling substr site:docs.splunk.com

Ayn · ‎08-21-2012

You can use the match function for this. See more info in the docs on eval functions. http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions

shangshin · ‎08-21-2012

Thanks a lot! This is very helpful!!!
I ma wondering if the CASE function supports regular expression so the search string is cleaner? e.g.

...| eval shorty = case(url == "*number1*", "long1", url == "*number2*", long2, url == "*number3*", "long3") | the_rest_of_your_search by shorty

Ayn · ‎08-20-2012

You probably want replace (http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Replace 😞

... | replace www.google.com with Google

Rename group by value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation