Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use substr to extract the first 3 letters of a field and use it as a grouping field?

chq_alanf
Explorer
‎01-28-2015 08:51 AM

I'm not sure I asked the right question, but I'd like to use substr to extract the first 3 letters of a field and use it as a grouping field. My query is as follows:

 * | stats sum(bytes_in) as MB by user_id as substr(user_id,1,3) | eval MB=round(MB/1024/1024,2) | sort -MB head 20

The syntax validates, however, no results are returned. Taking the substr out returns results, but of every user, not grouped by branch code.

Any help would be greatly appreciated.

Reply
1 Solution
Solved! Jump to solution
Solution

chanfoli
Builder
‎01-28-2015 09:02 AM

I would use | eval branch_code=substr(user_id,1,3) | to transform user_id to the 3 letter value before stats

View solution in original post

Reply
Solved! Jump to solution

chanfoli
Builder
‎01-28-2015 11:16 AM

Also, see my latest example below which might help. It looks like by leaving out a pipe you told sort to use the non-existent field "head".

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎01-28-2015 09:02 AM

Hi @chq_alanf

I'm not a search expert, but from looking at Splunk documentation, it looks like "substr" is a function of eval and where, not stats.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/CommonEvalFunctions

Reply
Solved! Jump to solution

chanfoli
Builder
‎01-28-2015 10:40 AM

Yeah I think stats is simply seeing that as a new field name in the above case.

0 Karma
Reply
Solved! Jump to solution
Solution

chanfoli
Builder
‎01-28-2015 09:02 AM

I would use | eval branch_code=substr(user_id,1,3) | to transform user_id to the 3 letter value before stats

Reply
Solved! Jump to solution

metylkinandrey
Communicator
‎10-06-2022 03:44 AM

Tell me, what should I do in my case, I need from the field: 1.SAPS-SIS.TO.LSP.SEND, or: "12.SAPS-SIS.TO.LSP.RECEIVE
Get field: "routepointIDnum": "1" or "routepointIDnum": "12"

I tried like this and it almost works:
index="main" sourcetype="testsystem-script333"
| eval routepointID_num=substr(routepointID,1,2)
| table routepointID_num

Almost because I get:
"routepointIDnum": "1." or "routepointIDnum": "12"
And I need:
"routepointIDnum": "1" or "routepointIDnum": "12"

0 Karma
Reply
Solved! Jump to solution

chq_alanf
Explorer
‎01-28-2015 11:21 AM

That worked.. Thank you very much!

0 Karma
Reply
Solved! Jump to solution

chq_alanf
Explorer
‎01-28-2015 10:22 AM

Thank You. I've tried that and many other combinations but still no results.

  • | stats eval(round(sum(bytes_in)/1024/1024, 0)) as MB, user_id as BRANCH by MB | eval BRANCH=substr(user_id,1,3) | sort -MB head 20
0 Karma
Reply
Solved! Jump to solution

chanfoli
Builder
‎01-28-2015 10:28 AM

The problem with the above is that your stats gives you BRANCH and MB, then you try to transform a non existent field (user_id). Stats only gives you the fields that you ask for stats on.

0 Karma
Reply
Solved! Jump to solution

chanfoli
Builder
‎01-28-2015 10:44 AM 
* | eval branch_id=substr(user_id,1,3) | stats sum(bytes_in) as MB by branch_id | eval MB=round(MB/1024/1024,2) | sort -MB | head 20
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...