Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Replace entire string if it contains partial s...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
darls15
Explorer
07-06-2020
08:46 PM
Can anyone tell me how I would replace entire strings if they contain partial strings. As a basic example, in my search results, if a URL contains the word "homework", I would like to replace the entire URL with just "Homework", if it contains "learn", then "Learning" and so on. I have tried the search below a number of ways and can't seem to get it to work the way I need.
| eval domain = if(cs_host = "*homework*", "homework", if(cs_host = "*learn*", "learning",cs_host))
Domain Count
Homework 2
Learning 5
etc
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-06-2020
09:19 PM
Try
|eval category=case(like(domains, "%homework%"),"HomeWork",like(domains, "%learn%"),"Learning",like(domains, "%school%"),"School",1==1,domains)
Sample result
|makeresults|eval domains="https://homework.mydomain.com https://learn.mydomain.com https://school.mydomain.com"|makemv domains|mvexpand domains
|eval category=case(like(domains, "%homework%"),"HomeWork",like(domains, "%learn%"),"Learning",like(domains, "%school%"),"School",1==1,domains)
|stats count by categoryalternatively you may use regex to extract the domains if there are multiple domains to be identified.
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-06-2020
09:19 PM
Try
|eval category=case(like(domains, "%homework%"),"HomeWork",like(domains, "%learn%"),"Learning",like(domains, "%school%"),"School",1==1,domains)
Sample result
|makeresults|eval domains="https://homework.mydomain.com https://learn.mydomain.com https://school.mydomain.com"|makemv domains|mvexpand domains
|eval category=case(like(domains, "%homework%"),"HomeWork",like(domains, "%learn%"),"Learning",like(domains, "%school%"),"School",1==1,domains)
|stats count by categoryalternatively you may use regex to extract the domains if there are multiple domains to be identified.
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
darls15
Explorer
07-06-2020
10:06 PM
Thanks renjith_nair, just what I needed!
Get Updates on the Splunk Community!
Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
