Solved: How to combine two field values from the same fiel...

limalbert · ‎11-06-2017

So, I have regex a field called device, and it contains
- mac
- mac os
- os x
- windows
- android

Is it possible to combine mac os, mac, and os x into a single field value called mac?

niketn · ‎11-06-2017

@limalbert, add the following eval to your existing search which will create a new field deviceType based on your field device. The match() evaluation function performs a regular expression based pattern match for the field provided (notice I have performed exact text match for os x (without strict case match)). Regular Expressions can be tested with Sample Data on sites like regex101.com. In this case pattern is simple text to be found in the device field:

|  eval deviceType=if(match(device,"mac") OR match(device,"^os x$"),"mac",device)

Once tested you can save the above eval as macro or calculated field Knowledge Object in Splunk for ease in re-usability and maintenance from a single place.

Following is the run anywhere search to test the sample data provided:

|  makeresults
|  eval device="mac os,mac,os x,windows,android"
|  makemv device delim=","
|  mvexpand device
|  eval deviceType=if(match(device,"mac") OR match(device,"^os x$"),"mac",device)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎11-06-2017

@limalbert, add the following eval to your existing search which will create a new field deviceType based on your field device. The match() evaluation function performs a regular expression based pattern match for the field provided (notice I have performed exact text match for os x (without strict case match)). Regular Expressions can be tested with Sample Data on sites like regex101.com. In this case pattern is simple text to be found in the device field:

|  eval deviceType=if(match(device,"mac") OR match(device,"^os x$"),"mac",device)

Once tested you can save the above eval as macro or calculated field Knowledge Object in Splunk for ease in re-usability and maintenance from a single place.

Following is the run anywhere search to test the sample data provided:

|  makeresults
|  eval device="mac os,mac,os x,windows,android"
|  makemv device delim=","
|  mvexpand device
|  eval deviceType=if(match(device,"mac") OR match(device,"^os x$"),"mac",device)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

limalbert · ‎11-07-2017

Sorry, I may have mislead you with the data. The field name is device, and the field values are not a single value:
- mac
- mac os
- os x
- windows
- android

Though, I tried using the last line of code, and it works.

| eval device=if(match(device,"mac os") OR match(device,"mac"), OR match(device,"os x"), "mac", device)

niketn · ‎11-07-2017

@limalbert if the device field is multi-valued, can it have both mac and windows in same event? Do you want to categorize as mac even if windows or android is present?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

limalbert · ‎11-07-2017

Yes, I'd like to have both mac and windows in the same field. There is inconsistency in the logs because of updates, that's why there are variation of mac in the device field.
What you have, helped me. Thanks!

niketn · ‎11-07-2017

Well the reason why I asked is that if same event has multi-valued field and device field is available at Search time, you can create Eventtype for identifying mac which will be faster for filtering results as compared to eval later on, since eventtype will be applied to base search.

Save the following as event type for mac: <YourBaseSearch> device="mac" OR device="os x"

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouteventtypes.

I am not sure if this is what you want but do give it a try if it is.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

yuanliu · ‎11-07-2017

niketn · ‎11-07-2017

@yuanliu, I did not want to enforce strict match for mac. However, for the given data set the one you have provided works well as well. Lets see if @limalbert is able to test and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

yuanliu · ‎11-07-2017

@niketnilay the point is the power of regex. To achieve exactly what your original expression does, "mac|^os x$". But to really nail on certain variations, such as inclusion of "mac os 1.3" and "os x 10.11" and excluding possible newcomers like "emac os", you can exert even more control without adding too many ands and ors, like "^(mac( os|)|os x( [\d.]+|))$". (My above expression in fact did not express what I meant, which should be "^(mac os|mac|os x)$". Yes, like all algorithms, applicability depends on data set.)

lfedak_splunk · ‎11-06-2017

Would making a tag meet your need? http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Abouttagsandaliases

How to combine two field values from the same field?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!