Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Similar values of differing length

Woody
New Member
‎08-18-2012 03:32 AM

Folks,

We have extracted fields with example values like the below:

9979592435350
9810979592435350
900979592435350
810979592435350
800979592435350
700979592435350
15979592435350
979592435350
11979592435350
979592435350
14979592435350
10979592435350
979592435350

To the human eye these are 979592435350 with optionally different digits before. From a data set with lots of such sequences I want to be able to extract the 979592435350 value, and others like it separate from the varying digits before. Of course, I don't know the 979592435350 value in advance otherwise it'd be easy!

Generally the numbers I want will be 11-12 digits long, but not always, sometimes it'll be shorter, but should never be longer. The digits before will be <=4 digits in length most of the time but I'd prefer to do it without hard-coding the length if possible. The value we want should always be longer than the value that prefixes it though.

Can anyone think of an elegant way of extracting these values?

Thanks!
Simon

Tags (3)
0 Karma
Reply

Woody
New Member
‎08-18-2012 04:48 AM

Folks,

Ok, i might be getting somewhere with this. mvappend() enables me to export multiple substrings of different length with the same field name. So each record now as a 12 digit value, an 11 digit value and so on, as well as the actual recorded value, all with the same field name.

I can do a top or a dc() on these and group them.

Only problem is now is that having done that, I'll need to group by the longest matching value. For example, let's say the longest matching value is the 11 digit one, I will have exactly the same count for any length shorter (10, 9 and so on). I won't have a high count for the 12 digit value as that has correctly dropped to the bottom because the 1st digit varies. Thus how can I exclude the shorter variants of the same value?

Can anyone see how I can do this, or of course suggest a completely different way to to do?

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...