Solved: truncating and merge values

exocore123 · ‎06-29-2017

I have a bunch of log error descriptions that have unique IDs at the end of the sentences
"CC declined. 123" 1 "CC declined. 456" 1 "Some error. 921" 1 "Some error. 222" 1

I want to truncate the rest of the numbers and merge the count so the result looks like

"CC decined" 2 "Some error" 2

In addition, is there a way to automatically do this without stating every single instances that I want to truncate?

woodcock · ‎06-29-2017

Like this:

|makeresults | eval raw="CC declined. 123,1
CC declined. 456,1
Some error. 921,1
Some error. 222,1
Failed server 2,1
Failed server 12,1
CC declined. x12,1"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<description>.*?),(?<count>\d+)$"
| table description count

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| rex field=description mode=sed "s/\s+\d+$//"
| stats sum(count) AS count BY description

View solution in original post

woodcock · ‎06-29-2017

Like this:

|makeresults | eval raw="CC declined. 123,1
CC declined. 456,1
Some error. 921,1
Some error. 222,1
Failed server 2,1
Failed server 12,1
CC declined. x12,1"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<description>.*?),(?<count>\d+)$"
| table description count

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| rex field=description mode=sed "s/\s+\d+$//"
| stats sum(count) AS count BY description

exocore123 · ‎06-29-2017

Seems like your regex matches whitespace then number, can i terminate the moment I see a period/any special characters

woodcock · ‎06-29-2017

It strips off all trailing digits and the white space in front of it.

exocore123 · ‎06-29-2017

Yes, but is there a pattern to strip the moment a special character is seen, strip the rest of the string. Or strip off starting from the special character too is fine

exocore123 · ‎06-29-2017

| rex field=description "^(?<description>[^\r\.]+)" something like this, but for many special characters

woodcock · ‎06-29-2017

Yes, like this:

| rex field=description mode=sed "s/[specialcharacterlisthere].*$//"

DalJeanis · ‎06-29-2017

try this, where desc is the field name.

| rex field=desc "^(?<desc>(?i)[\w\s]+?)[^\w]?\s*\w?\d+$"

The complication comes from that x12 at the end of one, with no special characters in it.

Assumptions: the last character of the description field will always be a number.

exocore123 · ‎06-29-2017

What about matching the first special character/non-word character?

exocore123 · ‎06-29-2017

I used | rex field=description "^(?<description>[^\r\.]+)", but I am getting "Unexpected closed tag"

woodcock · ‎06-29-2017

Show us a diverse set of raw events and the separated out description filed values.

exocore123 · ‎06-29-2017

description         count
"CC declined. 123"     1
"CC declined. 456"     1
"Some error. 921"      1
"Some error. 222"      1
"Failed server 2"      1
"Failed server 12"     1
"CC declined. x12"     1

to

     description         count
"CC declined"     3
"Some error"      2
"Failed server"      2

I guess can we automatically truncate the string the moment we see any type of special character?

truncating and merge values

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!