- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to properly extract fields using regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a following field in my data
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
This means that I have 3 types of cells in this particular event (cell names are dynamic).
How can I split this up so that it is like :
cells : "aN20%title", cells : "basic%ipin", cells : "basic%opin"
so that a command such as
stats count by cells
will produce the following list (can be used to populate dropdowns):
aN20%title
basic%ipin
basic%opin
I also would like to filter my cells, for example:
cells="aN20%title" OR cells="basic%ipin"
This would return all events that have either aN20%title or basic%ipin showing up in the cells field
The "=X" ("=1" in "aN20%title=1") is the number of instances that this type of cell appears.
I would need to be able to add this column with stats sum by cells command.
For example:
if I had 2 events
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
cells : "< aN20%title=2| basic%ipin=2> "
and I wanted to see the sum of the cells, I would receive
aN20%title : 3
basic%ipin : 9
basic%opin : 1
Thus, what is the best way to split this "cells" field up so that I can perform such commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Given that your initial field is called celldata and contains :
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
This will split out the data into individual events you can massage with stats :
... | rex max_match=100 field=celldata "(?<key>[\S]+=\d+)"
| table _time key <other interesting fields here>
| mvexpand key
| rex field=key "(?<key>[^=]+)=(?<val>.*)"
optionally :
| stats sum(val) by key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Given that your initial field is called celldata and contains :
cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
This will split out the data into individual events you can massage with stats :
... | rex max_match=100 field=celldata "(?<key>[\S]+=\d+)"
| table _time key <other interesting fields here>
| mvexpand key
| rex field=key "(?<key>[^=]+)=(?<val>.*)"
optionally :
| stats sum(val) by key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is amazing, thanks :).
Just to let anyone who reads this know,
it should be field=cells instead of celldata (just to eliminate any confusion)
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
