Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a new key-value pair from various fieldnames with a similar pattern?

HeinzWaescher
Motivator
‎02-07-2017 02:37 AM

Hi,

my events can include a fieldname with a pattern like:

product_type_a
product_type_b
product_type_c

To group calculations by product type, I think about creating a new key-value pair like
type=product_type_A. I could use a CASE command, but then I need to know all product_type_* that will appear in the future.
Is there a way to use something like COALESCE in combination with a wildcard or LIKE, to grab the first appearing fieldname as value?

Thanks in advance
Heinz

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-07-2017 02:03 PM

Like this:

| rex max_match=1 "(?<type>product_type_\w+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gvmorley
Contributor
‎02-08-2017 02:32 AM

Hi,

Sounds like your just looking to use the rex command. So either of these depending on what format you want:

| rex "product_type_(?<type>[^\s]+)"

or

| rex "(?<type2>product_type_[^\s]+)"

Which would look like this:

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-07-2017 02:03 PM

Like this:

| rex max_match=1 "(?<type>product_type_\w+)"
0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎02-08-2017 02:09 AM

I tried that out but the search shows an error:

Error in 'SearchOperator:regex': Usage: regex (=|!=)

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-08-2017 09:58 AM

I had a typo! I meant rex, not regex! Try the fixed answer now!

0 Karma
Reply
Solved! Jump to solution

adayton20
Contributor
‎02-07-2017 04:28 AM

I'm not sure if I understand completely what your request is. Are you saying Splunk is extracting different product names from your events as their own individual fields? Could you provide a few samples of your events, and a screen shot? I may be able to help, but I'd need to see the data first.

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎02-08-2017 02:08 AM

I would like to extract a new key value pair from fieldnames that can appear in the events.
Let's say we have 3 events, with these fieldnames and amounts.

event1: product_type_a=5
event2: product_type_b=8
event:3 product_type_c=10

What I want to do here, is to transform fieldnames with the pattern product_type_* into values for the new field "type". So in the end, I have a new field per event

event1: type=product_type_a
event2: type=product_type_b
event3: type=product_type_c

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-07-2017 02:52 AM

Hi HeinzWaescher,
could you detail your question?
you can group events by type using stats command, but you already know!
if you want, you could also populate a lookup with a scheduled search and list all the type values to use in your statistic searches.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...