Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eval / rex a field and change its output

spluzer
Communicator
‎12-11-2019 05:23 AM

hello all,

I have a lookup with two fields sourcetype and interval ( like below) ..some of the intervals are in seconds (which is great) - However some are in cron like (14 01 * * *) --I need to change the ones in cron to 86400 ...Any ideas 

sourcetype          interval


blah                  300

blah2               15 01 * * * *

blah3               3600

blah4                18 02 * * *

Here is my comically bad regex I've been working with, but cant seem to make it work

| rest splunk_server=local /services/data/inputs/script
| search (disabled = 0 AND interval=*)
| dedup sourcetype
| eval output=if(match(interval="(\d+)(\d+).(\d).(*).(*).(*)")),"86400","interval")

| table sourcetype interval output

Thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-11-2019 05:46 AM 
| rest splunk_server=local /services/data/inputs/script
| search (disabled = 0 AND interval=*)
| eval output=if(match(interval,"^-?\d+$"),"interval","86400")
| stats values(interval) as interval values(output) as output by sourcetype

Hi, @spluzer
How about this?

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-11-2019 05:46 AM 
| rest splunk_server=local /services/data/inputs/script
| search (disabled = 0 AND interval=*)
| eval output=if(match(interval,"^-?\d+$"),"interval","86400")
| stats values(interval) as interval values(output) as output by sourcetype

Hi, @spluzer
How about this?

Reply
Solved! Jump to solution

spluzer
Communicator
‎12-11-2019 05:58 AM

Awesome thanks!..You answered my question perfectly, and will accept accordingly. However, I now realize that it probably makes more sense for me to "replace" the intervals with a cron schedule with 86400 rather than create a new field called output ( for the sake of writing it to a lookup)...Do you have a way to do that...I can ask it in other question form if you prefer...Thanks again!

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎12-11-2019 06:30 AM

Hi

Check this

| rest splunk_server=local /services/data/inputs/script 
| search (disabled = 0 AND interval=*) 
| eval interval=if(match(interval,"^-?\d+$"),'interval',"86400") 
| stats values(interval) as interval by sourcetype
0 Karma
Reply
Solved! Jump to solution

spluzer
Communicator
‎12-11-2019 06:39 AM

Yep, that does it. I'm an idiot ..lol...Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...