- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- eval / rex a field and change its output
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello all,
I have a lookup with two fields sourcetype and interval ( like below) ..some of the intervals are in seconds (which is great) - However some are in cron like (14 01 * * *) --I need to change the ones in cron to 86400 ...Any ideas
sourcetype interval
blah 300
blah2 15 01 * * * *
blah3 3600
blah4 18 02 * * *
Here is my comically bad regex I've been working with, but cant seem to make it work
| rest splunk_server=local /services/data/inputs/script
| search (disabled = 0 AND interval=*)
| dedup sourcetype
| eval output=if(match(interval="(\d+)(\d+).(\d).(*).(*).(*)")),"86400","interval")
| table sourcetype interval output
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rest splunk_server=local /services/data/inputs/script
| search (disabled = 0 AND interval=*)
| eval output=if(match(interval,"^-?\d+$"),"interval","86400")
| stats values(interval) as interval values(output) as output by sourcetype
Hi, @spluzer
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rest splunk_server=local /services/data/inputs/script
| search (disabled = 0 AND interval=*)
| eval output=if(match(interval,"^-?\d+$"),"interval","86400")
| stats values(interval) as interval values(output) as output by sourcetype
Hi, @spluzer
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome thanks!..You answered my question perfectly, and will accept accordingly. However, I now realize that it probably makes more sense for me to "replace" the intervals with a cron schedule with 86400 rather than create a new field called output ( for the sake of writing it to a lookup)...Do you have a way to do that...I can ask it in other question form if you prefer...Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Check this
| rest splunk_server=local /services/data/inputs/script
| search (disabled = 0 AND interval=*)
| eval interval=if(match(interval,"^-?\d+$"),'interval',"86400")
| stats values(interval) as interval by sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, that does it. I'm an idiot ..lol...Thanks!
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
