Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Replace Multiple Strings in a field with values

deepak_negi02
New Member
‎09-07-2020 12:25 PM

Need to replace strings present below in a field with the respective values.

Field1 = "This field contains the information about students: student1, student2; student3.....studentN"

Field2 ="student1:{first_name:ABC,last_name:DEF},student2:{first_name:GHI,last_name:JKL),student3:{first_name & again the same information till StudentN

Need to create a new field which contains value of first_name & last_name from Field2 and replace those values with student1,student2....studentN in Field1

N would vary in each event. it could be [0-100]

What is expected-

Expected_Field="This field contains the information about students:ABC DEF, GHI JKL, till the end N

Suppose the total events is 3 , then Expected_Field needs to be created for all 3 events. 

Ask is to parse the information(names) out of Field2 and Replace with Student in Field1.

Labels (4)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2020 12:41 AM

The following allows for student ids i.e. not strictly student1, student2 etc., and for names in Field2 being in a different order

...
| rex max_match=0 field=Field1 "(?<prefix>[^:]*): (?<students>.*)"
| eval student=split(students, ", ")
| rex max_match=0 field=Field2 "((?<studentname>[^\:\{]*)\:\{first_name:(?<studentfirst>[^,]*),last_name:(?<studentlast>[^\}]*)\},?)"
| eval studentfullname=mvzip(studentfirst,studentlast," ")
| eval student=mvmap(student,mvindex(studentfullname,mvfind(studentname,student)))
| eval students=mvjoin(student,", ")
| eval expected=prefix.": ".students
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2020 11:39 PM

Both @thambisetty  and @renjith_nair  have made good suggestions (although @thambisetty  does need a minor tweak to account for more than 9 students (use "s/student\d+\: and so on) and @renjith_nair  could use @thambisetty 's technique for capturing the initial part of the expected output, and both are missing the space after the ":" - these are minor details).

However, both are based on the not unreasonable assumption that Field2 contains all and only the names in the required order and @thambisetty  also assumes, again not unreasonably, that your events really do have students listed as student1, student2 etc. and not some student id.

Please confirm that this is true and, if so, accept a solution.

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-07-2020 11:43 PM

@ITWhisperer ,

thanks, I have added+ to match more than student9.

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-07-2020 10:04 PM

 

| makeresults | eval field1="This field contains the information about students: student1, student2, student3",field2="student1:{first_name:ABC,last_name:DEF},student2:{first_name:GHI,last_name:JKL},student3:{first_name:klm,last_name:zyz}"
| rex field=field1 "(?<expected_field>[^:]+)"
| eval expected_field=expected_field.":".field2
| rex field=expected_field mode=sed "s/student\d+\:{first_name:([^,]+),last_name:([^\}]+)\}?/\1 \2/g"

 

————————————
If this helps, give a like below.
0 Karma
Reply

renjith_nair
Legend
‎09-07-2020 09:45 PM

Try this

 

"Your search"
|rex field=Field2 max_match=0 "first_name:(?<_First>.*?),last_name:(?P<_Last>.*?)\}"
|eval Expected_Field="This field contains the information about students:".mvjoin(mvzip(_First,_Last," "),",")

 

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...