Solved: truncating and merge values

exocore123 · ‎06-29-2017

I have a bunch of log error descriptions that have unique IDs at the end of the sentences
"CC declined. 123" 1 "CC declined. 456" 1 "Some error. 921" 1 "Some error. 222" 1

I want to truncate the rest of the numbers and merge the count so the result looks like

"CC decined" 2 "Some error" 2

In addition, is there a way to automatically do this without stating every single instances that I want to truncate?

woodcock · ‎06-29-2017

Like this:

|makeresults | eval raw="CC declined. 123,1
CC declined. 456,1
Some error. 921,1
Some error. 222,1
Failed server 2,1
Failed server 12,1
CC declined. x12,1"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<description>.*?),(?<count>\d+)$"
| table description count

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| rex field=description mode=sed "s/\s+\d+$//"
| stats sum(count) AS count BY description

View solution in original post

woodcock · ‎06-29-2017

Like this:

|makeresults | eval raw="CC declined. 123,1
CC declined. 456,1
Some error. 921,1
Some error. 222,1
Failed server 2,1
Failed server 12,1
CC declined. x12,1"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<description>.*?),(?<count>\d+)$"
| table description count

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| rex field=description mode=sed "s/\s+\d+$//"
| stats sum(count) AS count BY description

exocore123 · ‎06-29-2017

Seems like your regex matches whitespace then number, can i terminate the moment I see a period/any special characters

woodcock · ‎06-29-2017

It strips off all trailing digits and the white space in front of it.

exocore123 · ‎06-29-2017

Yes, but is there a pattern to strip the moment a special character is seen, strip the rest of the string. Or strip off starting from the special character too is fine

exocore123 · ‎06-29-2017

| rex field=description "^(?<description>[^\r\.]+)" something like this, but for many special characters

woodcock · ‎06-29-2017

Yes, like this:

| rex field=description mode=sed "s/[specialcharacterlisthere].*$//"

DalJeanis · ‎06-29-2017

try this, where desc is the field name.

| rex field=desc "^(?<desc>(?i)[\w\s]+?)[^\w]?\s*\w?\d+$"

The complication comes from that x12 at the end of one, with no special characters in it.

Assumptions: the last character of the description field will always be a number.

exocore123 · ‎06-29-2017

What about matching the first special character/non-word character?

exocore123 · ‎06-29-2017

I used | rex field=description "^(?<description>[^\r\.]+)", but I am getting "Unexpected closed tag"

woodcock · ‎06-29-2017

Show us a diverse set of raw events and the separated out description filed values.

exocore123 · ‎06-29-2017

description         count
"CC declined. 123"     1
"CC declined. 456"     1
"Some error. 921"      1
"Some error. 222"      1
"Failed server 2"      1
"Failed server 12"     1
"CC declined. x12"     1

to

     description         count
"CC declined"     3
"Some error"      2
"Failed server"      2

I guess can we automatically truncate the string the moment we see any type of special character?

truncating and merge values

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!