Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a new key-value pair from various fieldnames with a similar pattern?

HeinzWaescher
Motivator
‎02-07-2017 02:37 AM

Hi,

my events can include a fieldname with a pattern like:

product_type_a
product_type_b
product_type_c

To group calculations by product type, I think about creating a new key-value pair like
type=product_type_A. I could use a CASE command, but then I need to know all product_type_* that will appear in the future.
Is there a way to use something like COALESCE in combination with a wildcard or LIKE, to grab the first appearing fieldname as value?

Thanks in advance
Heinz

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-07-2017 02:03 PM

Like this:

| rex max_match=1 "(?<type>product_type_\w+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gvmorley
Contributor
‎02-08-2017 02:32 AM

Hi,

Sounds like your just looking to use the rex command. So either of these depending on what format you want:

| rex "product_type_(?<type>[^\s]+)"

or

| rex "(?<type2>product_type_[^\s]+)"

Which would look like this:

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-07-2017 02:03 PM

Like this:

| rex max_match=1 "(?<type>product_type_\w+)"
0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎02-08-2017 02:09 AM

I tried that out but the search shows an error:

Error in 'SearchOperator:regex': Usage: regex (=|!=)

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-08-2017 09:58 AM

I had a typo! I meant rex, not regex! Try the fixed answer now!

0 Karma
Reply
Solved! Jump to solution

adayton20
Contributor
‎02-07-2017 04:28 AM

I'm not sure if I understand completely what your request is. Are you saying Splunk is extracting different product names from your events as their own individual fields? Could you provide a few samples of your events, and a screen shot? I may be able to help, but I'd need to see the data first.

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎02-08-2017 02:08 AM

I would like to extract a new key value pair from fieldnames that can appear in the events.
Let's say we have 3 events, with these fieldnames and amounts.

event1: product_type_a=5
event2: product_type_b=8
event:3 product_type_c=10

What I want to do here, is to transform fieldnames with the pattern product_type_* into values for the new field "type". So in the end, I have a new field per event

event1: type=product_type_a
event2: type=product_type_b
event3: type=product_type_c

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-07-2017 02:52 AM

Hi HeinzWaescher,
could you detail your question?
you can group events by type using stats command, but you already know!
if you want, you could also populate a lookup with a scheduled search and list all the type values to use in your statistic searches.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...