All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

iterating non uniform fields and value in splunk

kannu
Communicator
‎01-12-2018 03:17 AM

Hi splunkers
Good morning,

I have came across a new problem

ProgramName = StarMovies
ProgramName = starmovies
ProgramName = starMovies
programName = Star Movies
ProgramName = Starmovies

Like this i have a data in my logs . what i want that all these field should combine and programname count should be 5 for starmovies

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-12-2018 05:13 AM

Hi kannu,
at first it's an error or you could have different field names: ProgramName and programName (different case for P)?

if you have different field names you can use coalesce funtion:

| eval ProgramName=coalesce(ProgramName, programName)

I don't know if it's acceptable for you, but you could transform each value in upper or lower case and delete spaces between words, in this way you have the same value and you can count values using stats command:

Your_search
| eval ProgramName=lower(trim(ProgramName))
| rex field=ProgramName mode=sed "s/\s//"
| stats count BY ProgramName

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-12-2018 05:13 AM

Hi kannu,
at first it's an error or you could have different field names: ProgramName and programName (different case for P)?

if you have different field names you can use coalesce funtion:

| eval ProgramName=coalesce(ProgramName, programName)

I don't know if it's acceptable for you, but you could transform each value in upper or lower case and delete spaces between words, in this way you have the same value and you can count values using stats command:

Your_search
| eval ProgramName=lower(trim(ProgramName))
| rex field=ProgramName mode=sed "s/\s//"
| stats count BY ProgramName

Bye.
Giuseppe

Reply
Solved! Jump to solution

kannu
Communicator
‎03-02-2018 08:36 AM

Hi @cusello

actually sorry for the mistake data was like this

ProgramName = Star Movies HD
ProgramName = Star MoviesHD
ProgramName = StarMovies HD

Want to make them all three look identical like Star Movies HD
Only spaces are creating trouble
can you help me in that

0 Karma
Reply
Solved! Jump to solution

kannu
Communicator
‎03-02-2018 10:32 PM

No problem i have figured it out by myself

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...