- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to take out numeric numbers at the end of the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to take out numeric numbers at the end of the event?
Hi all,
I need little help from good Regexp guy, or may be i m so bad that the guy could be moderate.
I have a log file that i need to categorize errors.
my regexp is : (?i)^(?:[^ ]* ){8}(?P<MY_VALUE>.+)(?=\d{8}\.) -> matches first line, ignores any other type
here is the 2 events:
Mask failed to grab activity for response 1234567.
Error in Application for PID 3131: System.Exception: Error processing the following address:
So my question is I want to match both lines. Problem there is, in order to identify overall performance for my system, I need to get rid of ID numbers.(it is at end of the first line, ignore the digits after PID- I need them 🙂 ) So first line should match until numbers whereas second line matched totally.
I tried some but I couldn't figure out how to ensure that.
Thanks in advance for your time and effort.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To get rid of a number at the end of an event at search time you can do this:
base search | rex mode=sed "s/\s*\d+(\.\d+)\s*$//"
That looks for a number, possibly with decimal places, and removes it along with surrounding whitespace if and only if the number is at the end of the event. You can restrict this to a specific field by specifying field=name.
Note, your example event had an additional literal dot at the end of the event - if that's accurate you'll need to amend the regex like this:
s/\s*\d+(\.\d+)\s*\.?$//
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did. Now what?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please read my question again with the comments.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have both patterns unfortunately.
Some ends with ".", some with just number.
But these are the only possibilities with the number at the end of the line.
All digits in the events are 8 digits.
When you ask for it, I just realized that we may possibly get rid of all 8 digit numbers, right.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And the numbers at the end, they follow some pattern? like have dot "." at the end or always are 7-8 digits?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is search result. I can't remove event data as I ll be getting it remotely.
I have two panels in dashboard,
User selection in "master view" would detail chosen value in "detail view".
I m on the step to detail logs for detail view.
Since JavaScript would come to play, I should create generic extracted field for each log that I can minimize the complexity in JavaScript.
My plan is to extract field with the pattern I desire above
and use it for a search that will come through JS perma-link.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You want to remove them from the event data itself or you want to remove them from just the search result?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
