Solved: Re: how to trim output

marees123 · ‎05-13-2015

Hi Experts,

i'm getting the below output in my search (index=LB example.domain.com* "monitor status *")

May 4 20:16:05 netloadBalance_1a notice mcpd[7457]: 01070727:5: Pool /Common/example.domain.com member /Common/192.168.2.24:443 monitor status up. [ /Common/tcp_443: up ] [ was up for 55hrs:23mins:26sec ]

i would like to get the output like

example.domain.com 192.168.2.24:443 monitor status up

please advise

richgalloway · ‎05-13-2015

This should do the trick.

index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P<domain>[^ ]+).*\/(?P<status>[\d\.:]+ monitor status \w+\.)" | table domain status

Replace "<" and ">" with "<" and ">", respectively.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-13-2015

This should do the trick.

index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P<domain>[^ ]+).*\/(?P<status>[\d\.:]+ monitor status \w+\.)" | table domain status

Replace "<" and ">" with "<" and ">", respectively.

---
If this reply helps you, Karma would be appreciated.

marees123 · ‎05-13-2015

Thank you Richgalloway,

im getting the second output... 192.168.2.24:443 monitor status up

need to get the first output also which is the url name, like....

example.domain.com 192.168.2.24:443 monitor status up

richgalloway · ‎05-13-2015

I've updated my answer. You may need to adjust the regex depending on if "/Common/" is a fixed string or not.

---
If this reply helps you, Karma would be appreciated.

marees123 · ‎05-13-2015

Thank you ....

Yes... It is working fine

can we concatenate that domain & status together?

richgalloway · ‎05-13-2015

Certainly. Just use an eval like this eval foo=domain+" "+status

---
If this reply helps you, Karma would be appreciated.

marees123 · ‎05-13-2015

Sorry Richgalloway...

where do i need to insert this command... i'm poor in quries...

richgalloway · ‎05-13-2015

Put it before the table command then change the table command to table foo.

---
If this reply helps you, Karma would be appreciated.

marees123 · ‎05-13-2015

you are awesome...

thanks a lot.. its working perfectly 🙂

marees123 · ‎05-13-2015

Hi Richgalloway

Sorry....

what we need to do to display like a below sentence...

example.domain.com monitor status changed to up/down on node 192.168.2.24:443

richgalloway · ‎05-13-2015

You have most of what you need already. All you have to do is tweak the regex string and the eval:

index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P&lt;domain&gt;[^ ]+).*\/(?P&lt;node&gt;[\d\.:]+) monitor status (?P&lt;status&gt;\w+\.)" | eval sentence=domain+" monitor status changed to "+status+" on node "+node | table sentence

---
If this reply helps you, Karma would be appreciated.

marees123 · ‎05-13-2015

Thanks a lot ....:-)

marees123 · ‎05-14-2015

Hi Richgalloway,

example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:18
example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:18
example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:22
example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:22
example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:22
example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:26

shall i get a single entry for down and up in a single search.... if the domain name and IP address is same...

richgalloway · ‎05-14-2015

That's easily done using the dedup command.

index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P&lt;domain&gt;[^ ]+).*\/(?P&lt;node&gt;[\d\.:]+) monitor status (?P&lt;status&gt;\w+\.)" | dedup domain node | eval sentence=domain+" monitor status changed to "+status+" on node "+node | table sentence

---
If this reply helps you, Karma would be appreciated.

marees123 · ‎05-14-2015

Thank you:-)

but it is displaying only UP not down...

richgalloway · ‎05-15-2015

It is displaying the most recent status. To show the most recent down and up states, change the dedup command to dedup domain node status.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎05-13-2015

Great! Please accept the answer.

---
If this reply helps you, Karma would be appreciated.

how to trim output

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases