Greetings Everyone!
I am a little confused, hope you can help me. I am trying to assign a value to other rows that are blank in a field using some value of the same field. Let me set an example here:
What I have:
IP | Model | Several other fields
127.0.0.1 | | .....
127.0.0.1 | AMD Ryzen | .....
127.0.0.1 | | .....
127.0.0.2 | | .....
127.0.0.2 | Intel Core | .....
What I need to accomplish:
IP | Model | Several other fields
127.0.0.1 | AMD Ryzen | .....
127.0.0.1 | AMD Ryzen | .....
127.0.0.1 | AMD Ryzen | .....
127.0.0.2 | Intel Core | .....
127.0.0.2 | Intel Core | .....
What I want to do is to make each row take the unique available value for Model taking the only non-blank value that shows up for that IP, and being able to count the events, I tried with stats values(Model) by IP, Several Fields, but 1 - it still shows blank spaces, and 2 - it breaks the event statistics so I want to count each entry of the several fields. Could you please show me the best way to do this? Thank you in advance!
| makeresults | eval events="10.0.0.1 | myserver.com | AMD Ryzen | | USA |RandomText|RandomText|RandomText
10.0.0.2 | myserver.com | Intel Core | |Canada |RandomText|RandomText|RandomText
10.0.0.1 | myserver.com | | Dell | |RandomText|RandomText|RandomText
10.0.0.2 | myserver.com | | Lenovo | |RandomText|RandomText|RandomText"
| rex max_match=0 field=events "(?<events>.*)\n*"
| mvexpand events
| rex field=events "(?<IP>[^\|]+)\|(?<Server>[^\|]+)\|(?<Model>[^\|]+)\|(?<Brand>[^\|]+)\|(?<Country>[^\|]+)\|(?<extrafield2>[^\|]+)\|(?<extrafield3>[^\|]+)\|(?<extrafield4>.+)"
| eval IP=trim(IP), Server=trim(Server), model=trim(Model), Brand=trim(Brand), Country=trim(Country), extrafield2=trim(extrafield2), extrafield3=trim(extrafield3), extrafield4=trim(extrafield4)
| fields - _time events
| eventstats values(Model) as Model by IP
| table IP Server Model Brand Country extrafield2 extrafield3 extrafield4
Note that I have put in some trims for the fields but that because of the way I created the data from your post, but perhaps you need to do the same with your real data
| eventstats values(Model) as Model by IP
Thank you for your response! Unfortunately it´s not working it still leaves empty the field model in lots of rows with the same IP as the one that is not empty
Can you share your raw data (anonymised of course) for the events where this is failing?
I am going to try to recreate it as real as I can here:
Something to consider here is that Brand and Model both come from different sources so the rows where Brand is not empty Model is the things both sources have in common are IP and Server.
after applying the command shows like this.
IP | Server | Model | Brand| Country |extrafield2|extrafield3|extrafield4
10.0.0.1 | myserver.com | AMD Ryz | |USA | Text | Text | Text
10.0.0.2 | myserver.com |Intel Core | |Canada | Text | Text | Text
10.0.0.1 | myserver.com | | Dell | | Text | Text | Text
10.0.0.2 | myserver.com | |Lenovo| | Text | Text | Text
what I need to accomplish:
IP | Server | Model | Brand |Country | extrafield2 |extrafield3|extrafield4
10.0.0.1 | myserver.com | AMD Ryz | |USA | Text | Text |Text
10.0.0.2 | myserver.com | Intel Core | |Canada | Text | Text |Text
10.0.0.1 | myserver.com | AMD Ryz | Dell | | Text | Text |Text
10.0.0.2 | myserver.com | Intel Core |Lenovo| |Text | Text |Text
So Country and Brand will always be like that but I need Model to match with both, even when it comes with the source of country and not that of Brand, keeping the number of events to later apply count on them, keeping in consideration that the number of IP´s is in growth.
| makeresults | eval events="10.0.0.1 | myserver.com | AMD Ryzen | | USA |RandomText|RandomText|RandomText
10.0.0.2 | myserver.com | Intel Core | |Canada |RandomText|RandomText|RandomText
10.0.0.1 | myserver.com | | Dell | |RandomText|RandomText|RandomText
10.0.0.2 | myserver.com | | Lenovo | |RandomText|RandomText|RandomText"
| rex max_match=0 field=events "(?<events>.*)\n*"
| mvexpand events
| rex field=events "(?<IP>[^\|]+)\|(?<Server>[^\|]+)\|(?<Model>[^\|]+)\|(?<Brand>[^\|]+)\|(?<Country>[^\|]+)\|(?<extrafield2>[^\|]+)\|(?<extrafield3>[^\|]+)\|(?<extrafield4>.+)"
| eval IP=trim(IP), Server=trim(Server), model=trim(Model), Brand=trim(Brand), Country=trim(Country), extrafield2=trim(extrafield2), extrafield3=trim(extrafield3), extrafield4=trim(extrafield4)
| fields - _time events
| eventstats values(Model) as Model by IP
| table IP Server Model Brand Country extrafield2 extrafield3 extrafield4
Note that I have put in some trims for the fields but that because of the way I created the data from your post, but perhaps you need to do the same with your real data
Thank you very much! It worked!