Splunk Search

help in eval

marees123
Path Finder

Hi Guys,

Need a help. I have two types of logs.

nwfin1swt2 : 2015 Jul 27 23:01:29 CDT: %SATCTRL-FEX101-2-SATCTRL: FEX-101 Module 1: Cold boot
nwfin2sw1001 26: Jul 27 15:58:36.267: %SYS-CFC7-5-RESTART: System restarted -

i created a query to list these logs in a table format...

*swt* "cold boot" OR "system restarted" | rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)" | eval state=coldboot+restart | table host, state, _time

trying to bring the both results in the column called state with "eval state=coldboot+restart". im not getting in the column state. please help me to sort this out.

host                 state         _time
nwfin1swt2                  2015-07-27 23:01:29
nwfin2sw1001                  2015-07-27 15:58:36.267
Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

 *swt* "cold boot" OR "system restarted" | rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)" | eval state=coalesce(coldboot,"")+coalesce(restart,"") | table host, state, _time

Since both the fields appear in different events, one will have null value when other is not null. The coalesce command will take the first not null value (so null value for coldboot and restart will be replaced by empty string) and the concatenation would work fine.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this

 *swt* "cold boot" OR "system restarted" | rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)" | eval state=coalesce(coldboot,"")+coalesce(restart,"") | table host, state, _time

Since both the fields appear in different events, one will have null value when other is not null. The coalesce command will take the first not null value (so null value for coldboot and restart will be replaced by empty string) and the concatenation would work fine.

marees123
Path Finder

thanks a lot. it worked..... 🙂 awesome...

thanks again,

0 Karma

ohlafl
Communicator

What does *swt* "cold boot" OR "system restarted" imply?

Would this method be possible to use with two fields where the regex is replaced by getting data directly from a value?

0 Karma

marees123
Path Finder

yes.. this will give the raw results which contains the words cold boot and system restarted.. like below

nwfin1swt2 : 2015 Jul 27 23:01:29 CDT: %SATCTRL-FEX101-2-SATCTRL: FEX-101 Module 1: Cold boot
nwfin2sw1001 26: Jul 27 15:58:36.267: %SYS-CFC7-5-RESTART: System restarted -

0 Karma

krishnarajapant
Path Finder

Hi,

I believe you have to give space after the field names in eval expression.

swt "cold boot" OR "system restarted" | rex "(?i) Module 1: (?w+s+w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?w+s+w+)" | eval state= coldboot + restart | table host, state, _time

-Krishna Rajapantula.

0 Karma

krishnarajapant
Path Finder

Hi,

I'm not sure why it isnot working for you. I have tested this in my environment. Did you try in your eval expression eval state= field1 + field2? space between field1, + and field2?

-Krishna Rajapantula

0 Karma

marees123
Path Finder

yes krishna... tried the same and used . as well... donno y... still searching....

0 Karma

marees123
Path Finder

Hi Krishna...

thanks... i tried.. but no output 😞

0 Karma

krishnarajapant
Path Finder

Hi,

I believe you have to give space after the field names in eval expression.

swt "cold boot" OR "system restarted" | rex "(?i) Module 1: (?w+s+w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?w+s+w+)" | eval state= coldboot + restart | table host, state, _time

-Krishna Rajapantula.

0 Karma

aholzel
Communicator

I assume that you are trying to concatenate the fields "coldboot" and "restart" in the field "state" in that case you need to use a "." and not a "+" to get them both in "state". Now you are trying to count them.

0 Karma

marees123
Path Finder

Hi aholze,

thanks for the reply.

yes. i tried that as well. eval state = coldboot.restart

still its not working.

0 Karma

marees123
Path Finder

i tried state = coldboot." ".restart as well.. no results....

0 Karma

aholzel
Communicator

do you get any data if you try them individually?

.... | table host coldboot restart _time

and just to be sure you could add the "field=_raw" parameter to the rex command:

... | rex field=_raw "YOUR REGEX HERE"
0 Karma

marees123
Path Finder

yes... i'm getting results if i use seperately...concatenation is not working.

0 Karma

aholzel
Communicator

aaaa I think I see it.. in your regex you forgot the slash in front of w+ and s+ so that gives you empty fields.. I tested and this should work:

swt "cold boot" OR "system restarted" 
| rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)" 
| rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)" 
| eval state=coldboot." ".restart 
| table host, state, _time
0 Karma

marees123
Path Finder

Hi Aholzel,

the same script only i used earlier.

eventtype = net swt "cold boot" OR "system restarted"
| rex "(?i) Module 1: (?P\w+\s+\w+)"
| rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?P\w+\s+\w+)"
| eval state=coldboot." ".restart
| table host, state, _time

where did i miss "".. please let me know. thanks.

0 Karma

marees123
Path Finder

if i display coldboot and restart seperately, im getting results.

0 Karma

aholzel
Communicator

I see the slash is then probably only missing here because you didn't put everything in a code sample block.

I did this query to test and then everything is working:

index=* earliest=-10s@s
| eval colddata="nwfin1swt2 : 2015 Jul 27 23:01:29 CDT: %SATCTRL-FEX101-2-SATCTRL: FEX-101 Module 1: Cold boot" 
| eval restartdata="nwfin2sw1001 26: Jul 27 15:58:36.267: %SYS-CFC7-5-RESTART: System restarted -"
| rex field=colddata "(?i) Module 1: (?<coldboot>\w+\s+\w+)"
| rex field=restartdata "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)"
| eval status=coldboot." ".restart
| table coldboot restart status

Can you test if that is also working in your environment I did this in Splunk 6.2.3

marees123
Path Finder

Hi aholzel,

its listing all devices, and all results getting filled with same results. please check the below logs for your reference.

host coldboot restart status
lb01b Cold boot System restarted Cold boot System restarted
lb01b Cold boot System restarted Cold boot System restarted
lb01b Cold boot System restarted Cold boot System restarted

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...