I Have ServiceNames (A, B ,C ,D, E, F, G, H) but want (C ,D, E, F, G, H ) ServiceNames combined results and renamed as "Other_Services"
My base search
| rex "^[^=\n]*=(?P<ServiceName>[^,]+)" | rex "TimeMS\s\=\s(?<Trans_Time>\d+)"
Required Results
ServiceName | Trans_Time | Count |
A | 60 | 1111 |
B | 40 | 1234 |
Other_Services( C , D, E, F,G,H) | 25 | 1234567 |
Hi @kc_prane , try this - create a new eval field (ServiceGroup) to check whether ServiceName is A or B, else assign it to "Other_Services" :
| rex "^[^=\n]*=(?P<ServiceName>[^,]+)"
| rex "TimeMS\s\=\s(?<Trans_Time>\d+)"
| eval ServiceGroup = case(
ServiceName == "A", "A",
ServiceName == "B", "B",
1==1, "Other_Services"
)
| stats
avg(Trans_Time) as Avg_Trans_Time,
count as Count
by ServiceGroup
| rename ServiceGroup as ServiceName
| sort ServiceName
Thanks @KendalW for the help!
Hello, @gcusello. Thank you for your response. I had an issue with Rex. I corrected that now, and your earlier query works for me.
Hi @kc_prane ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Hi @kc_prane , try this - create a new eval field (ServiceGroup) to check whether ServiceName is A or B, else assign it to "Other_Services" :
| rex "^[^=\n]*=(?P<ServiceName>[^,]+)"
| rex "TimeMS\s\=\s(?<Trans_Time>\d+)"
| eval ServiceGroup = case(
ServiceName == "A", "A",
ServiceName == "B", "B",
1==1, "Other_Services"
)
| stats
avg(Trans_Time) as Avg_Trans_Time,
count as Count
by ServiceGroup
| rename ServiceGroup as ServiceName
| sort ServiceName