Splunk Search

Rename group by value

shangshin
Builder

Hi,
I am using splunk to monitor the performance of a number of long urls and the search strring is like :

| stats max(time_in_sec), perc90(time_in_sec), perc75(time_in_sec), perc50(time_in_sec), avg(time_in_sec), min(time_in_sec), stdev(time_in_sec) by ping_url

It's working fine but the url is too long to fit in the dashboard. I am wondering if there is a way to function to display the short name in the result? Thanks!

e.g. RENAME www.google.com AS Google

Tags (3)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

I can see a few options;

If you have a large number of URLs you can extract the significant portion with the substr function.

... | eval shorty = substr(url,40) | the_rest_of_your_search by shorty

If you have a few loooong but fairly static urls you can set up a case evaluation

...| eval shorty = case(url == "/long/url/number1", "long1", url == "/long/url/number2", long2, url == "really/long/url/number/3", "long3") | the_rest_of_your_search by shorty

See the docs for eval for more info.

If all your URLs start the same way, e.g. /this/is/the/base/directory/in/all/urls/for/the/site/page1.htm, you can make a field extraction that skips the redundant levels (or as Ayn suggests, use replace).

Hope this helps somewhat,

Kristian

edit: update, spelling

View solution in original post

0 Karma

GKC
Explorer

I would really recommend the use of lookup tables here, that way you can always add/modidy/delete any entries there that you may use in your searches. This way you can configure in an eficient way how you want each url to be displayed in order to be readable too.

Here it is some easy to follow info on the subjetc:
http://docs.splunk.com/Documentation/Splunk/5.0/knowledge/Addfieldsfromexternaldatasources

0 Karma

kristian_kolb
Ultra Champion

I can see a few options;

If you have a large number of URLs you can extract the significant portion with the substr function.

... | eval shorty = substr(url,40) | the_rest_of_your_search by shorty

If you have a few loooong but fairly static urls you can set up a case evaluation

...| eval shorty = case(url == "/long/url/number1", "long1", url == "/long/url/number2", long2, url == "really/long/url/number/3", "long3") | the_rest_of_your_search by shorty

See the docs for eval for more info.

If all your URLs start the same way, e.g. /this/is/the/base/directory/in/all/urls/for/the/site/page1.htm, you can make a field extraction that skips the redundant levels (or as Ayn suggests, use replace).

Hope this helps somewhat,

Kristian

edit: update, spelling

0 Karma

c48571
New Member

What does the 40 stand for in substr(url,40)?

0 Karma

to4kawa
Ultra Champion

@c48571
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/TextFunctions#substr.28X.2CY.2CZ...

see reference

and try googling substr site:docs.splunk.com

0 Karma

Ayn
Legend

You can use the match function for this. See more info in the docs on eval functions. http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions

0 Karma

shangshin
Builder

Thanks a lot! This is very helpful!!!
I ma wondering if the CASE function supports regular expression so the search string is cleaner? e.g.

...| eval shorty = case(url == "*number1*", "long1", url == "*number2*", long2, url == "*number3*", "long3") | the_rest_of_your_search by shorty
0 Karma

Ayn
Legend

You probably want replace (http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Replace 😞

... | replace www.google.com with Google
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...