Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Query Help!

kc_prane
Communicator
‎07-29-2024 09:03 AM

I Have  Service_names  (A, B ,C ,D, E,  F, G, H, I J, K, L , M)  but want  (C ,D, E,  F, G, H, I J, K, L , M ) services_names renamed as "Other_Services"  | Stats by  services_names  | table services_names  time_Taken

Thanks in advance!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-29-2024 11:02 PM

Hi @kc_prane ,

you shared only a part of your search, so I cannot check it.

anyway, does it solves your requirement?

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-29-2024 09:07 AM

Hi @kc_prane ,

ony one question: what's time_Token?

if it's a field, please try something like this:

<your_search
| eval services_names=if(services_names IN ("A", "B"), service_name, "Other_Services")
| stats values(time_Token) AS time_Token BY  services_names
| table services_names  time_Taken

 otherwise, please explain what's time_Token, or apply my approach to your search.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

kc_prane
Communicator
‎07-29-2024 09:43 AM

Hi gcusello, Thanks for the reply,  Iam looking to get results like below.

my base search

| rex "^[^=\n]*=(?P<ServiceName>[^,]+)"
| rex "TimeMS\s\=\s(?<Trans_Time>\d+)"

Results

ServiceName         Trans_Time Count
A 60 1111
B 40 1234
Other_Services( C , D, E, F,G,H) 25 1234567
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-29-2024 11:02 PM

Hi @kc_prane ,

you shared only a part of your search, so I cannot check it.

anyway, does it solves your requirement?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

kc_prane
Communicator
‎07-30-2024 08:52 AM

Thanks for the help! @gcusello. I fixed my rex Iam seeing results now.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...