Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Replace Multiple Strings in a field with values

deepak_negi02
New Member
‎09-07-2020 12:25 PM

Need to replace strings present below in a field with the respective values.

Field1 = "This field contains the information about students: student1, student2; student3.....studentN"

Field2 ="student1:{first_name:ABC,last_name:DEF},student2:{first_name:GHI,last_name:JKL),student3:{first_name & again the same information till StudentN

Need to create a new field which contains value of first_name & last_name from Field2 and replace those values with student1,student2....studentN in Field1

N would vary in each event. it could be [0-100]

What is expected-

Expected_Field="This field contains the information about students:ABC DEF, GHI JKL, till the end N

Suppose the total events is 3 , then Expected_Field needs to be created for all 3 events. 

Ask is to parse the information(names) out of Field2 and Replace with Student in Field1.

Labels (4)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2020 12:41 AM

The following allows for student ids i.e. not strictly student1, student2 etc., and for names in Field2 being in a different order

...
| rex max_match=0 field=Field1 "(?<prefix>[^:]*): (?<students>.*)"
| eval student=split(students, ", ")
| rex max_match=0 field=Field2 "((?<studentname>[^\:\{]*)\:\{first_name:(?<studentfirst>[^,]*),last_name:(?<studentlast>[^\}]*)\},?)"
| eval studentfullname=mvzip(studentfirst,studentlast," ")
| eval student=mvmap(student,mvindex(studentfullname,mvfind(studentname,student)))
| eval students=mvjoin(student,", ")
| eval expected=prefix.": ".students
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2020 11:39 PM

Both @thambisetty  and @renjith_nair  have made good suggestions (although @thambisetty  does need a minor tweak to account for more than 9 students (use "s/student\d+\: and so on) and @renjith_nair  could use @thambisetty 's technique for capturing the initial part of the expected output, and both are missing the space after the ":" - these are minor details).

However, both are based on the not unreasonable assumption that Field2 contains all and only the names in the required order and @thambisetty  also assumes, again not unreasonably, that your events really do have students listed as student1, student2 etc. and not some student id.

Please confirm that this is true and, if so, accept a solution.

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-07-2020 11:43 PM

@ITWhisperer ,

thanks, I have added+ to match more than student9.

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-07-2020 10:04 PM

 

| makeresults | eval field1="This field contains the information about students: student1, student2, student3",field2="student1:{first_name:ABC,last_name:DEF},student2:{first_name:GHI,last_name:JKL},student3:{first_name:klm,last_name:zyz}"
| rex field=field1 "(?<expected_field>[^:]+)"
| eval expected_field=expected_field.":".field2
| rex field=expected_field mode=sed "s/student\d+\:{first_name:([^,]+),last_name:([^\}]+)\}?/\1 \2/g"

 

————————————
If this helps, give a like below.
0 Karma
Reply

renjith_nair
Legend
‎09-07-2020 09:45 PM

Try this

 

"Your search"
|rex field=Field2 max_match=0 "first_name:(?<_First>.*?),last_name:(?P<_Last>.*?)\}"
|eval Expected_Field="This field contains the information about students:".mvjoin(mvzip(_First,_Last," "),",")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...