Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- way to use case insensitive fields - Not Value
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shariq
Explorer
11-25-2020
01:59 PM
Mydata is like below where the customerNumber can come like CustomerNumber or customernumber or CUSTOMERNUMBER
AND isoCountryCode can come as IsoCountryCode, ISOCountryCode or any other combination.
Now during field extraction Splunk considers all these fields as seperate. though while writing query i want to consider all these fields as one.
Environment = prod-dmz-usch01 | API = testapi| RequestURI = /test/v5/tesdt/10-12345?customerNumber=01-12345&isoCountryCode=US | ProxyRequestFlowName = testDetails-OpenAPIv3GetVerb.
My query is as below:
index=test sourcetype="testsamples" testapi "ProxyRequestFlowName = testDetails-OpenAPIv3GetVerb"
| search isocountrycode=US OR isoCountryCode=US -- this seems to be taking care of multiple values but it is not a good idea to write each field here, how to handle all scenario's ?
| bucket _time span="24h"
| chart count by customerNumber where count in top100 -- i am able to give only one value of customer number here , how can i handle all use cases ?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
11-25-2020
02:29 PM
There are a number of ways to resolve this.
1. Fix the data 🙂
2. Set up a new calculated field which will create your preferred field name based on the others, for example like this
| eval customerNumber=coalesce(customerNumber, CUSTOMERNUMBER, CusomerNumber, customernumber, customerNo)
| eval isoCountryCode=coalesce(isoCountryCode, isocountrycode, ISOCountryCode)In the calculated field definition, you just use the coalesce() part and put in all the field variants you want to normalise to the preferred field name.
Set up one calculated field for each of the fields you want to normalise.
Then in your search you will only need to do
index=test sourcetype="testsamples" testapi "ProxyRequestFlowName = testDetails-OpenAPIv3GetVerb" isoCountryCode=US You can read about the coalesce function here
There are other ways to do this, but this is probably the simplest and most typical way to solve this problem. If you come across a new variant then you can always add it to the coalesce list.
Setting up aliases is another way to do this, but it's not so simple to manage multiple aliases to the same base name.
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shariq
Explorer
11-25-2020
04:16 PM
eval coalesce worked well for me without changing the data at ingestion. thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
11-25-2020
05:31 PM
yeah, exactly, .. the coalesce is a simple, superb command, many of the new Splunkers(including me ;)) are not aware of.
Splunk guys should include these basic commands into the Splunk Fundamentals 1/2 training!
tagging some splunk employees... @esix_splunk @gkanapathy @yannK @jbsplunk , thanks.!
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
11-25-2020
02:29 PM
There are a number of ways to resolve this.
1. Fix the data 🙂
2. Set up a new calculated field which will create your preferred field name based on the others, for example like this
| eval customerNumber=coalesce(customerNumber, CUSTOMERNUMBER, CusomerNumber, customernumber, customerNo)
| eval isoCountryCode=coalesce(isoCountryCode, isocountrycode, ISOCountryCode)In the calculated field definition, you just use the coalesce() part and put in all the field variants you want to normalise to the preferred field name.
Set up one calculated field for each of the fields you want to normalise.
Then in your search you will only need to do
index=test sourcetype="testsamples" testapi "ProxyRequestFlowName = testDetails-OpenAPIv3GetVerb" isoCountryCode=US You can read about the coalesce function here
There are other ways to do this, but this is probably the simplest and most typical way to solve this problem. If you come across a new variant then you can always add it to the coalesce list.
Setting up aliases is another way to do this, but it's not so simple to manage multiple aliases to the same base name.
Hope this helps.
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
