Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a field from value of an existing field?

rwiley
Explorer
‎12-01-2016 07:57 AM

i have this search

index=cmedia sourcetype="adspecificsnmp" 
 | rex field=_raw mode=sed "s/=,/=NA,/g"
 | rex field=_raw max_match=0 "(?(\d+\.)+)(?\d+)=(?[^,]+)"
 | eval tempString=mvzip(sP, (mvzip (sS, sV, "~")), "~")
 | mvexpand tempString
 | rex field=tempString "(?[^~]+)~(?[^~]+)~(?(.*))"
 | eval myString=stringPrefix."".stringSuffix
 | lookup ACMCodes.csv Suffix as stringSuffix OUTPUT Description as description
 | table description, stringValue

this is partial result. there are 28 values in all

     description,                  stringValue
1   Version ,                   2
2   Box ,                       0
3   Port    ,                      0
4   NodeNumber,                 1
5   PositioinofSpot,               1
6   ScheduleSpotPosition,         1
7   EventPosition,               4
8   FramesPerSec,                 30
9   Owner,                       0

i need the description as a field with value of stringValue

Version ,       Box ,         Port,            NodeNumber,         PositionofSpot,
      2 ,         0 ,           0 ,                    1 ,                     1 ,

i hope this makes sense

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Flynt
Splunk Employee
Splunk Employee
‎12-01-2016 01:02 PM

A bit shoestringed here but what if you try

|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

For example in the following test search -

|stats count|fields - count|eval description="Version ,", stringValue="2"|append [|stats count|fields - count|eval description="Box ,", stringValue="0"]|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

Version and Box should show up in the same row.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-02-2016 12:32 AM

Hi rwiley,
did you tried with the transpose command?
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

Flynt
Splunk Employee
Splunk Employee
‎12-01-2016 01:02 PM

A bit shoestringed here but what if you try

|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

For example in the following test search -

|stats count|fields - count|eval description="Version ,", stringValue="2"|append [|stats count|fields - count|eval description="Box ,", stringValue="0"]|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

Version and Box should show up in the same row.

0 Karma
Reply
Solved! Jump to solution

rwiley
Explorer
‎12-07-2016 05:48 AM

thanks Flynt! just what i needed. sorry to take so long on reply. got pulled to another project.

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎12-01-2016 12:42 PM

How about you try |eval {description,}=stringValue right at the end which will create a field name for each description, which it sees and then tabulate that using | table (*,)
Explanation here for the eval expression above

 index=cmedia sourcetype="adspecificsnmp" 
  | rex field=_raw mode=sed "s/=,/=NA,/g"
  | rex field=_raw max_match=0 "(?(\d+\.)+)(?\d+)=(?[^,]+)"
  | eval tempString=mvzip(sP, (mvzip (sS, sV, "~")), "~")
  | mvexpand tempString
  | rex field=tempString "(?[^~]+)~(?[^~]+)~(?(.*))"
  | eval myString=stringPrefix."".stringSuffix
  | lookup ACMCodes.csv Suffix as stringSuffix OUTPUT Description as description
  | eval {description,}=stringValue
  | table (*,)
0 Karma
Reply
Solved! Jump to solution

rwiley
Explorer
‎12-01-2016 12:57 PM

This works. but it doesn't bring it in in one row. it brings in the value for stringValue but the rest of the row is empty.

example:
Date SpotID Zone Channel
1 date

2 478393
3 CNN
4 zone

i was hoping to get this
Date SpotID Zone Channel
1 date 478393 zone CNN

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...