So, I have regex a field called device, and it contains
- mac
- mac os
- os x
- windows
- android
Is it possible to combine mac os
, mac
, and os x
into a single field value called mac
?
@limalbert, add the following eval to your existing search which will create a new field deviceType
based on your field device
. The match()
evaluation function performs a regular expression
based pattern match for the field provided (notice I have performed exact text match for os x
(without strict case match)). Regular Expressions can be tested with Sample Data on sites like regex101.com. In this case pattern is simple text to be found in the device
field:
| eval deviceType=if(match(device,"mac") OR match(device,"^os x$"),"mac",device)
Once tested you can save the above eval
as macro
or calculated field
Knowledge Object
in Splunk for ease in re-usability and maintenance from a single place.
Following is the run anywhere search to test the sample data provided:
| makeresults
| eval device="mac os,mac,os x,windows,android"
| makemv device delim=","
| mvexpand device
| eval deviceType=if(match(device,"mac") OR match(device,"^os x$"),"mac",device)
@limalbert, add the following eval to your existing search which will create a new field deviceType
based on your field device
. The match()
evaluation function performs a regular expression
based pattern match for the field provided (notice I have performed exact text match for os x
(without strict case match)). Regular Expressions can be tested with Sample Data on sites like regex101.com. In this case pattern is simple text to be found in the device
field:
| eval deviceType=if(match(device,"mac") OR match(device,"^os x$"),"mac",device)
Once tested you can save the above eval
as macro
or calculated field
Knowledge Object
in Splunk for ease in re-usability and maintenance from a single place.
Following is the run anywhere search to test the sample data provided:
| makeresults
| eval device="mac os,mac,os x,windows,android"
| makemv device delim=","
| mvexpand device
| eval deviceType=if(match(device,"mac") OR match(device,"^os x$"),"mac",device)
Sorry, I may have mislead you with the data. The field name is device, and the field values are not a single value:
- mac
- mac os
- os x
- windows
- android
Though, I tried using the last line of code, and it works.
| eval device=if(match(device,"mac os") OR match(device,"mac"), OR match(device,"os x"), "mac", device)
@limalbert if the device
field is multi-valued, can it have both mac
and windows
in same event? Do you want to categorize as mac even if windows or android is present?
Yes, I'd like to have both mac
and windows
in the same field. There is inconsistency in the logs because of updates, that's why there are variation of mac
in the device
field.
What you have, helped me. Thanks!
Well the reason why I asked is that if same event has multi-valued field and device
field is available at Search time, you can create Eventtype
for identifying mac which will be faster for filtering results as compared to eval later on, since eventtype will be applied to base search.
Save the following as event type for mac
: <YourBaseSearch> device="mac" OR device="os x"
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouteventtypes.
I am not sure if this is what you want but do give it a try if it is.
Regex has an easier syntax: "^mac os|mac|os x$". So to follow the above answer, you can
| eval deviceType = if(match(device,"^mac os|mac|os x$"), "mac", device)
@yuanliu, I did not want to enforce strict match for mac
. However, for the given data set the one you have provided works well as well. Lets see if @limalbert is able to test and confirm.
@niketnilay the point is the power of regex. To achieve exactly what your original expression does, "mac|^os x$". But to really nail on certain variations, such as inclusion of "mac os 1.3" and "os x 10.11" and excluding possible newcomers like "emac os", you can exert even more control without adding too many ands and ors, like "^(mac( os|)|os x( [\d.]+|))$". (My above expression in fact did not express what I meant, which should be "^(mac os|mac|os x)$". Yes, like all algorithms, applicability depends on data set.)
Would making a tag meet your need? http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Abouttagsandaliases