Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Similar values of differing length

Woody
New Member
‎08-18-2012 03:32 AM

Folks,

We have extracted fields with example values like the below:

9979592435350
9810979592435350
900979592435350
810979592435350
800979592435350
700979592435350
15979592435350
979592435350
11979592435350
979592435350
14979592435350
10979592435350
979592435350

To the human eye these are 979592435350 with optionally different digits before. From a data set with lots of such sequences I want to be able to extract the 979592435350 value, and others like it separate from the varying digits before. Of course, I don't know the 979592435350 value in advance otherwise it'd be easy!

Generally the numbers I want will be 11-12 digits long, but not always, sometimes it'll be shorter, but should never be longer. The digits before will be <=4 digits in length most of the time but I'd prefer to do it without hard-coding the length if possible. The value we want should always be longer than the value that prefixes it though.

Can anyone think of an elegant way of extracting these values?

Thanks!
Simon

Tags (3)
0 Karma
Reply

Woody
New Member
‎08-18-2012 04:48 AM

Folks,

Ok, i might be getting somewhere with this. mvappend() enables me to export multiple substrings of different length with the same field name. So each record now as a 12 digit value, an 11 digit value and so on, as well as the actual recorded value, all with the same field name.

I can do a top or a dc() on these and group them.

Only problem is now is that having done that, I'll need to group by the longest matching value. For example, let's say the longest matching value is the 11 digit one, I will have exactly the same count for any length shorter (10, 9 and so on). I won't have a high count for the 12 digit value as that has correctly dropped to the bottom because the 1st digit varies. Thus how can I exclude the shorter variants of the same value?

Can anyone see how I can do this, or of course suggest a completely different way to to do?

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...