Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replace a value in a multivalue field?

jmedved
Explorer
‎02-19-2016 02:28 PM

I am trying to report on user web activity to a particular category as well as list the URLs in that category. I have the following so far.

Search...
| eval MB = bytes_to_server/1024/1024
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

This works, but I would like to consolidate some of the URLs. For example, I would like to just make lb1.cloudsite.com, lb2.cloudsite.com, etc into 1 url of cloudsite.com

I attempted using the following eval and it works, but I am left with no other results. I read up on the case function and I understand why it does that, but I am still looking for another function that will do that as well as leave me with the other results that do not match.

| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com")
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 02:33 PM

YOu need to provide the default value for the case so that if it's not matching cloudsite.com, to use current URL value. Something like this

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com",1=1,url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

SInce you're using just one condition, you can use if condition as well.

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=if(searchmatch("*.cloudsite.com"), "cloudsite.com",url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 02:33 PM

YOu need to provide the default value for the case so that if it's not matching cloudsite.com, to use current URL value. Something like this

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com",1=1,url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)

SInce you're using just one condition, you can use if condition as well.

Search...
| eval MB = bytes_to_server/1024/1024
| eval url=if(searchmatch("*.cloudsite.com"), "cloudsite.com",url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-22-2016 08:46 AM

Instead of 1==1, I use true().

Reply
Solved! Jump to solution

jmedved
Explorer
‎02-23-2016 01:28 PM

Thanks somesoni2! This worked for me. I don't know the difference between 1==1 and true(), but 1==1 seems to be doing the trick.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-23-2016 01:32 PM

Both 1=1 and True() generate boolean true (always), means if any of prior conditions are not true, the value following 1=1 OR true() will be used.

I would say true() will be more efficient method as it's generating boolean true without any evaluation.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...