Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Replace entire string if it contains partial s...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
darls15
Explorer
07-06-2020
08:46 PM
Can anyone tell me how I would replace entire strings if they contain partial strings. As a basic example, in my search results, if a URL contains the word "homework", I would like to replace the entire URL with just "Homework", if it contains "learn", then "Learning" and so on. I have tried the search below a number of ways and can't seem to get it to work the way I need.
| eval domain = if(cs_host = "*homework*", "homework", if(cs_host = "*learn*", "learning",cs_host))
Domain Count
Homework 2
Learning 5
etc
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-06-2020
09:19 PM
Try
|eval category=case(like(domains, "%homework%"),"HomeWork",like(domains, "%learn%"),"Learning",like(domains, "%school%"),"School",1==1,domains)
Sample result
|makeresults|eval domains="https://homework.mydomain.com https://learn.mydomain.com https://school.mydomain.com"|makemv domains|mvexpand domains
|eval category=case(like(domains, "%homework%"),"HomeWork",like(domains, "%learn%"),"Learning",like(domains, "%school%"),"School",1==1,domains)
|stats count by categoryalternatively you may use regex to extract the domains if there are multiple domains to be identified.
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-06-2020
09:19 PM
Try
|eval category=case(like(domains, "%homework%"),"HomeWork",like(domains, "%learn%"),"Learning",like(domains, "%school%"),"School",1==1,domains)
Sample result
|makeresults|eval domains="https://homework.mydomain.com https://learn.mydomain.com https://school.mydomain.com"|makemv domains|mvexpand domains
|eval category=case(like(domains, "%homework%"),"HomeWork",like(domains, "%learn%"),"Learning",like(domains, "%school%"),"School",1==1,domains)
|stats count by categoryalternatively you may use regex to extract the domains if there are multiple domains to be identified.
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
darls15
Explorer
07-06-2020
10:06 PM
Thanks renjith_nair, just what I needed!
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
