- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to match and filter by substr?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a log where
labelData=123-345
or
lableData=123
How I want to ignore the -345 and just keep the first 3 characters and report on the occurances. The above would count for two occurrences for labelData=123.
I can't seem to figure this out using:
source=*//logs/stdout.log class=myClass | fields labelData | eval newStuff=substr(labelData, 1, 43 | stats count by newStuff | sort count | reverse
Input Note: labelData could also be 456-789. Basically, i just want to match/substr the first 3 characters.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try
source=*//logs/stdout.log class=myClass | fields labelData |regex lableData="123.*" | stats count by labelData | sort count | reverse
This will give you the full string in the results, but the results will only include values with the substring.
If you want to create a new field, then use rex.
source=*//logs/stdout.log class=myClass | fields labelData | rex field=labelData "^(?P<newStuff>123).*" | stats count by newStuff | sort count | reverse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a different answer inspired by above question and responses.
index="indexname" Type="Error"| eval messageInit=substr(Message, 1, 25)| top limit=20 messageInit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try
source=*//logs/stdout.log class=myClass | fields labelData |regex lableData="123.*" | stats count by labelData | sort count | reverse
This will give you the full string in the results, but the results will only include values with the substring.
If you want to create a new field, then use rex.
source=*//logs/stdout.log class=myClass | fields labelData | rex field=labelData "^(?P<newStuff>123).*" | stats count by newStuff | sort count | reverse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For multiple possibilities you would use the OR command for regex, which is the pipe |. For the first three characters only, use the "starts with" symbol, otherwise known as the carrot ^. I'm assuming you mean exactly 456 or 789.
|regex lableData="^456|^789"
To grab just the one that starts with 789, remove the OR.
|regex lableData="^789"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
QQ: what if the input was 456-789 or 789-012? how could I use a regex to extract the first three characters only?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have multiple substrings to capture, then you can do that also.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks again!
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
