Re: Replace Multiple Strings in a field with value...

deepak_negi02 · ‎09-07-2020

Need to replace strings present below in a field with the respective values.

Field1 = "This field contains the information about students: student1, student2; student3.....studentN"

Field2 ="student1:{first_name:ABC,last_name:DEF},student2:{first_name:GHI,last_name:JKL),student3:{first_name & again the same information till StudentN

Need to create a new field which contains value of first_name & last_name from Field2 and replace those values with student1,student2....studentN in Field1

N would vary in each event. it could be [0-100]

What is expected-

Expected_Field="This field contains the information about students:ABC DEF, GHI JKL, till the end N

Suppose the total events is 3 , then Expected_Field needs to be created for all 3 events.

Ask is to parse the information(names) out of Field2 and Replace with Student in Field1.

ITWhisperer · ‎09-08-2020

The following allows for student ids i.e. not strictly student1, student2 etc., and for names in Field2 being in a different order

...
| rex max_match=0 field=Field1 "(?<prefix>[^:]*): (?<students>.*)"
| eval student=split(students, ", ")
| rex max_match=0 field=Field2 "((?<studentname>[^\:\{]*)\:\{first_name:(?<studentfirst>[^,]*),last_name:(?<studentlast>[^\}]*)\},?)"
| eval studentfullname=mvzip(studentfirst,studentlast," ")
| eval student=mvmap(student,mvindex(studentfullname,mvfind(studentname,student)))
| eval students=mvjoin(student,", ")
| eval expected=prefix.": ".students

ITWhisperer · ‎09-07-2020

Both @thambisetty and @renjith_nair have made good suggestions (although @thambisetty does need a minor tweak to account for more than 9 students (use "s/student\d+\: and so on) and @renjith_nair could use @thambisetty 's technique for capturing the initial part of the expected output, and both are missing the space after the ":" - these are minor details).

However, both are based on the not unreasonable assumption that Field2 contains all and only the names in the required order and @thambisetty also assumes, again not unreasonably, that your events really do have students listed as student1, student2 etc. and not some student id.

Please confirm that this is true and, if so, accept a solution.

thambisetty · ‎09-07-2020

@ITWhisperer ,

thanks, I have added+ to match more than student9.

————————————
If this helps, give a like below.

thambisetty · ‎09-07-2020

| makeresults | eval field1="This field contains the information about students: student1, student2, student3",field2="student1:{first_name:ABC,last_name:DEF},student2:{first_name:GHI,last_name:JKL},student3:{first_name:klm,last_name:zyz}"
| rex field=field1 "(?<expected_field>[^:]+)"
| eval expected_field=expected_field.":".field2
| rex field=expected_field mode=sed "s/student\d+\:{first_name:([^,]+),last_name:([^\}]+)\}?/\1 \2/g"

————————————
If this helps, give a like below.

renjith_nair · ‎09-07-2020

Try this

"Your search"
|rex field=Field2 max_match=0 "first_name:(?<_First>.*?),last_name:(?P<_Last>.*?)\}"
|eval Expected_Field="This field contains the information about students:".mvjoin(mvzip(_First,_Last," "),",")

Happy Splunking!

Replace Multiple Strings in a field with values

field extraction

fields

other

regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!