- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex If Statement Help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This field is called 'Name' and contains around 10000 sever names, I am trying to use an eval formula to create a column to identify the vpvms of the following server name nadcvpvms04b.hca.corpad.net
I am a very new Splunk user I have tried everything and for the life of me can not get this to work and I am sure it is something easy.
This is what I have so far
The case statement I tried
| eval Physical Host Type=case(match(Name,"(?i)\p{Ll}vpvms"),"ESX Host")
and the if statement I tried
| eval Physical Host Type=if(match(Name,"(?i)\p{Ll}vpvms"),"ESX Host","")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't understand exactly what you need but surely it is something like this:
| rex field=Name "(?i)pvms(?<Physical_Host_Type>\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will be better to give exact answer if you provide 1 or 2 lines of logs.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it is easier then you think.
| eval Physical_Host_Type = case(match(Name,"(?i)vpvms"),"ESX Host",1==1,"None")
This is better for two reasons: Field names should NOT have spaces in them, it can be done, just not recommended. And the "1==1" is your always true statement, so you can filter out those that don't match later on. I have tested this on a different pattern, and it worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alacercogitatus I tried your statement with no luck, I have provided a table of the data below. Those CI Names with vpvms I would like to have ESX show up in the Physical_Host_Type
CI Name Physical_Host_Type
ordcwpdbsaasc1b None
ordcvzvms01f None
ordcvpvms02c None
ordcvzvms01d None
nadcvpvms03a None
I appreciate the help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your table there, is your field actually called Name or is it actually 'CI Name' ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@acharlieh Field Name is 'Name' Sorry about that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't understand exactly what you need but surely it is something like this:
| rex field=Name "(?i)pvms(?<Physical_Host_Type>\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is not even a valid command. Please revise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, skip the eval!
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
