Solved: Need help in extracting value from a field

anoopambli · ‎02-27-2015

i have tried whatever i could to get the desired output rex but not happening, please help..
This is what i am trying to do,

I have a field which has values like below,

OK: C: 10 OK: F: 19.13 OK: G: 0.57 13304 Fri Feb 27 06:39:52 2015 stopping 13304
OK: C: 79.64 OK: E: 66.18 OK: F: 79.41 OK: G: 67.67 OK: H: 72.26 OK: I: 93.33 OK: J: 15.33 OK: K: 17.3 14104 Fri Feb 27 06:57:27 2015 stopping 14104
OK: C: 54.57 OK: I: 6.98 OK: K: 0.99 OK: L: 69.21 17676 Fri Feb 27 06:57:19 2015 stopping 17676

These are drive usage details of remote windows servers, i want to do a clean up on values on this field, ideally this is how it should look like

C: 10 F:19.13 G:0.57
C: 79.64 E: 66.18 F: 79.41 G: 67.67 H: 72.26 I: 93.33 J: 15.33 K: 17.3
C: 54.57 I: 6.98 K: 0.99 L: 69.21

Any idea how i can accomplish this?

cpetterborg · ‎02-27-2015

If you just want to get a field that has the whole set of drive usage stats, you don't need to use rex:

<yoursearch> | eval driveusage=replace (_raw, "OK:\s(\w:)", "\\1") | eval driveinfo=replace(driveusage, "\d+\s\w{3}\s\w{3}\s\d\d\s\d\d:.*$", "")

This is likely to work on all your data and returns the entire string that you want into a single field called driveusage.

View solution in original post

cpetterborg · ‎02-27-2015

If you just want to get a field that has the whole set of drive usage stats, you don't need to use rex:

<yoursearch> | eval driveusage=replace (_raw, "OK:\s(\w:)", "\\1") | eval driveinfo=replace(driveusage, "\d+\s\w{3}\s\w{3}\s\d\d\s\d\d:.*$", "")

This is likely to work on all your data and returns the entire string that you want into a single field called driveusage.

anoopambli · ‎02-27-2015

Thank you guys, that worked perfectly for me. This was a huge help

richgalloway · ‎02-27-2015

This worked for me with your sample data.

... | rex max_match=0 field=foo "(?:OK: (?P<drive>\w:)\s(?P<usage>[\.\d]+))+" | ...

---
If this reply helps you, Karma would be appreciated.

anoopambli · ‎02-27-2015

Thank you for your response. I think we are almost there. With the query given it is creating two fields, one for the drive name and another for the usage. That is perfectly fine, but only thing i noticed is that i am getting only one drive usage. Do i need to do anything to match all others the similar way?

cpetterborg · ‎02-27-2015

If you want to separate them into each drive being in a different field, you have a bit of a problem, because you have a variable number of the drives in each line. The mvexpand that richgalloway suggests will let you separate the values by drive. In your original post you said that you wanted to clean up the data, which is what my eval commands do to produce the line with only the values that you wanted in the single result. What is the point of "cleaning up?" Do you want to extract each drive's value and do statistics on it, or are you just doing a report of the data for a given system, or is there something else that you want to do?

anoopambli · ‎03-02-2015

I was trying to build a table where it shows the hostname then it's curresponding drives and usage. The query with richgalloway shows different drives but when i table them it is not showing all the drives and the usage association is coming up wrong. While using mvexpand, would there be any problem in associating name and value....?

richgalloway · ‎02-27-2015

I neglected to mention rex would extract the fields as multi-valued fields. Use mvexpand to see all values.

... | rex max_match=0 field=foo "(?:OK: (?P<drive>\w:)\s(?P<usage>[\.\d]+))+" | mvexpand drive | mvexpand usage | ...

---
If this reply helps you, Karma would be appreciated.

Need help in extracting value from a field

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!