Splunk Search

If field matches regex then make the value foo

aaronnicoli
Path Finder

Okay so,

I have a field, "basedomain".
This contains a huge list of data such as:

google.com
facebook.com
google.com.au
fbcdn.net
google.co.uk

Now, I wish to rename like values...
So that, anything that matches this regex assumes the value "google".

ie. (google.com|google.com.au|google.co.uk)
if it matches that regex, then the value becomes simply "google"

I would then create another regex for facebook and so on.

Now, I understand I could just match on google, but as you can see that wouldn't work for facebook.

I'm trying to combine access stats cross domain to single sites, for instance so I can see how much traffic is going to any google services as a whole.

Am I looking in the wrong direction or is this possible???

Thanks,
Aaron.

1 Solution

dwaddle
SplunkTrust
SplunkTrust

This is perhaps easiest with a lookup table. You can build a lookup table of the form:

basedomain,service_name
google.com,google
google.com.au,google
google.co.uk,google
facebook.com,facebook
fbcdn.com,facebook

And, from there, you should be able to use the lookup command to "mark up" each value of basedomain with its related service_name, and then you can do your stats operations against the service_name.

View solution in original post

aaronnicoli
Path Finder

Okay, seems I am now part way there with the lookup table...

I have the lookup table like so:

basedomain,domaingroup
google.com,google
google.com.au,google

And have configured the lookup like this:

common_domains basedomain AS basedomain OUTPUTNEW domaingroup AS domaingroup

The problem I have is this, I can now only print domains that are specifically listed in the lookup table, so if I have yahoo.com come through it's not displayed because it's not in the lookup table...

I have tried playing with the field names and rewriting the actual basedomain field values themselves but without any success.

Once again, it would be great if someone could point me in the right direction...

This is the desired input and output:

Input:

35MB google.com.au
12MB google.com
4MB yahoo.com
3MB fbcdn.net
1MB google.co.uk

And the desired output:

48MB google
4MB yahoo.com
3MB fbcdn.net

Thanks again,
Aaron.

0 Karma

aaronnicoli
Path Finder

Thank you thank you thank you!!!

Really appreciate the input, hit the nail on the head!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

just add ... | eval domaingroup=coalesce(domaingroup,basedomain) after the lookup, and before your stats.

dwaddle
SplunkTrust
SplunkTrust

This is perhaps easiest with a lookup table. You can build a lookup table of the form:

basedomain,service_name
google.com,google
google.com.au,google
google.co.uk,google
facebook.com,facebook
fbcdn.com,facebook

And, from there, you should be able to use the lookup command to "mark up" each value of basedomain with its related service_name, and then you can do your stats operations against the service_name.

aaronnicoli
Path Finder

Fantastic, lookup tables, I have never used them but this seems like the perfect place to start!

Thank you!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...