Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Similar values of differing length

Woody
New Member
‎08-18-2012 03:32 AM

Folks,

We have extracted fields with example values like the below:

9979592435350
9810979592435350
900979592435350
810979592435350
800979592435350
700979592435350
15979592435350
979592435350
11979592435350
979592435350
14979592435350
10979592435350
979592435350

To the human eye these are 979592435350 with optionally different digits before. From a data set with lots of such sequences I want to be able to extract the 979592435350 value, and others like it separate from the varying digits before. Of course, I don't know the 979592435350 value in advance otherwise it'd be easy!

Generally the numbers I want will be 11-12 digits long, but not always, sometimes it'll be shorter, but should never be longer. The digits before will be <=4 digits in length most of the time but I'd prefer to do it without hard-coding the length if possible. The value we want should always be longer than the value that prefixes it though.

Can anyone think of an elegant way of extracting these values?

Thanks!
Simon

Tags (3)
0 Karma
Reply

Woody
New Member
‎08-18-2012 04:48 AM

Folks,

Ok, i might be getting somewhere with this. mvappend() enables me to export multiple substrings of different length with the same field name. So each record now as a 12 digit value, an 11 digit value and so on, as well as the actual recorded value, all with the same field name.

I can do a top or a dc() on these and group them.

Only problem is now is that having done that, I'll need to group by the longest matching value. For example, let's say the longest matching value is the 11 digit one, I will have exactly the same count for any length shorter (10, 9 and so on). I won't have a high count for the 12 digit value as that has correctly dropped to the bottom because the 1st digit varies. Thus how can I exclude the shorter variants of the same value?

Can anyone see how I can do this, or of course suggest a completely different way to to do?

Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...