Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Taking one event to give value to other events

4t14s
Explorer
‎10-09-2020 06:21 AM

Greetings Everyone!

I am a little confused, hope you can help me. I am trying to assign a value to other rows that are blank in a field using some value of the same field. Let me set an example here:

What I have:

IP                       |                 Model                                         | Several other fields 

127.0.0.1        |                                                                       |             .....

127.0.0.1        |              AMD Ryzen                                 |             ..... 

127.0.0.1        |                                                                       |             .....

127.0.0.2        |                                                                       |             .....

127.0.0.2        |             Intel Core                                      |             .....

 

What I need to accomplish:

IP                       |                 Model                                         | Several other fields 

127.0.0.1        |              AMD Ryzen                                 |             .....

127.0.0.1        |              AMD Ryzen                                 |             ..... 

127.0.0.1        |              AMD Ryzen                                 |             .....

127.0.0.2        |             Intel Core                                      |             .....

127.0.0.2        |             Intel Core                                      |             .....

What I want to do is to make each row take the unique available value for Model taking the only non-blank value that shows up for that IP, and being able to count the events, I tried with stats values(Model) by IP, Several Fields, but 1 - it still shows blank spaces, and 2 - it breaks the event statistics so I want to count each entry of the several fields. Could you please show me the best way to do this? Thank you in advance!

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2020 07:51 AM 
| makeresults | eval events="10.0.0.1 |   myserver.com |   AMD Ryzen   |                            | USA                 |RandomText|RandomText|RandomText

10.0.0.2 |   myserver.com  |   Intel Core      |                            |Canada           |RandomText|RandomText|RandomText
10.0.0.1 |   myserver.com  |                             |         Dell           |                           |RandomText|RandomText|RandomText

10.0.0.2 |   myserver.com  |                             |         Lenovo    |                           |RandomText|RandomText|RandomText"
| rex max_match=0 field=events "(?<events>.*)\n*"
| mvexpand events
| rex field=events "(?<IP>[^\|]+)\|(?<Server>[^\|]+)\|(?<Model>[^\|]+)\|(?<Brand>[^\|]+)\|(?<Country>[^\|]+)\|(?<extrafield2>[^\|]+)\|(?<extrafield3>[^\|]+)\|(?<extrafield4>.+)"
| eval IP=trim(IP), Server=trim(Server), model=trim(Model), Brand=trim(Brand), Country=trim(Country), extrafield2=trim(extrafield2), extrafield3=trim(extrafield3), extrafield4=trim(extrafield4)
| fields - _time events
| eventstats values(Model) as Model by IP
| table IP Server Model Brand Country extrafield2 extrafield3 extrafield4

Note that I have put in some trims for the fields but that because of the way I created the data from your post, but perhaps you need to do the same with your real data

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2020 06:36 AM 
| eventstats values(Model) as Model by IP
0 Karma
Reply
Solved! Jump to solution

4t14s
Explorer
‎10-09-2020 06:56 AM

Thank you for your response! Unfortunately it´s not working it still leaves empty the field model in lots of rows with the same IP as the one that is not empty

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2020 07:02 AM

Can you share your raw data (anonymised of course) for the events where this is failing?

0 Karma
Reply
Solved! Jump to solution

4t14s
Explorer
‎10-09-2020 07:27 AM

I am going to try to recreate it as real as I can here:

Something to consider here is that Brand and Model both come from different sources so the rows where Brand is not empty Model is the things both sources have in common are IP and Server.

after applying the command shows like this.

IP             |          Server          |        Model  |   Brand| Country |extrafield2|extrafield3|extrafield4

10.0.0.1 |   myserver.com |   AMD Ryz |                |USA          | Text            |  Text            |  Text

10.0.0.2 |   myserver.com  |Intel Core  |               |Canada    | Text            |  Text            |  Text
10.0.0.1 |   myserver.com  |                      | Dell      |                    | Text            |  Text            |  Text

10.0.0.2 |   myserver.com  |                      |Lenovo|                    | Text            |  Text            |  Text

what I need to accomplish:

IP             |          Server          |        Model    | Brand |Country | extrafield2 |extrafield3|extrafield4

10.0.0.1 |   myserver.com |   AMD Ryz   |               |USA         |  Text             |   Text           |Text

10.0.0.2 |   myserver.com  |   Intel Core |               |Canada  | Text              |   Text           |Text
10.0.0.1 |   myserver.com  | AMD Ryz    | Dell      |                  |  Text             | Text             |Text

10.0.0.2 |   myserver.com  |   Intel Core |Lenovo|                  |Text               | Text             |Text

So Country and Brand will always be like that but I need Model to match with both, even when it comes with the source of country and not that of Brand, keeping the number of events to later apply count on them, keeping in consideration that the number of IP´s is in growth.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2020 07:51 AM 
| makeresults | eval events="10.0.0.1 |   myserver.com |   AMD Ryzen   |                            | USA                 |RandomText|RandomText|RandomText

10.0.0.2 |   myserver.com  |   Intel Core      |                            |Canada           |RandomText|RandomText|RandomText
10.0.0.1 |   myserver.com  |                             |         Dell           |                           |RandomText|RandomText|RandomText

10.0.0.2 |   myserver.com  |                             |         Lenovo    |                           |RandomText|RandomText|RandomText"
| rex max_match=0 field=events "(?<events>.*)\n*"
| mvexpand events
| rex field=events "(?<IP>[^\|]+)\|(?<Server>[^\|]+)\|(?<Model>[^\|]+)\|(?<Brand>[^\|]+)\|(?<Country>[^\|]+)\|(?<extrafield2>[^\|]+)\|(?<extrafield3>[^\|]+)\|(?<extrafield4>.+)"
| eval IP=trim(IP), Server=trim(Server), model=trim(Model), Brand=trim(Brand), Country=trim(Country), extrafield2=trim(extrafield2), extrafield3=trim(extrafield3), extrafield4=trim(extrafield4)
| fields - _time events
| eventstats values(Model) as Model by IP
| table IP Server Model Brand Country extrafield2 extrafield3 extrafield4

Note that I have put in some trims for the fields but that because of the way I created the data from your post, but perhaps you need to do the same with your real data

Reply
Solved! Jump to solution

4t14s
Explorer
‎10-09-2020 10:29 AM

Thank you very much! It worked!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...