Splunk Search

how to take out numeric numbers at the end of the event?

axl88
Communicator

Hi all,

I need little help from good Regexp guy, or may be i m so bad that the guy could be moderate.
I have a log file that i need to categorize errors.

my regexp is : (?i)^(?:[^ ]* ){8}(?P<MY_VALUE>.+)(?=\d{8}\.) -> matches first line, ignores any other type

here is the 2 events:
Mask failed to grab activity for response 1234567.
Error in Application for PID 3131: System.Exception: Error processing the following address:

So my question is I want to match both lines. Problem there is, in order to identify overall performance for my system, I need to get rid of ID numbers.(it is at end of the first line, ignore the digits after PID- I need them 🙂 ) So first line should match until numbers whereas second line matched totally.

I tried some but I couldn't figure out how to ensure that.

Thanks in advance for your time and effort.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

To get rid of a number at the end of an event at search time you can do this:

base search | rex mode=sed "s/\s*\d+(\.\d+)\s*$//"

That looks for a number, possibly with decimal places, and removes it along with surrounding whitespace if and only if the number is at the end of the event. You can restrict this to a specific field by specifying field=name.

Note, your example event had an additional literal dot at the end of the event - if that's accurate you'll need to amend the regex like this:

s/\s*\d+(\.\d+)\s*\.?$//
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I did. Now what?

0 Karma

axl88
Communicator

please read my question again with the comments.

0 Karma

axl88
Communicator

I have both patterns unfortunately.
Some ends with ".", some with just number.
But these are the only possibilities with the number at the end of the line.
All digits in the events are 8 digits.
When you ask for it, I just realized that we may possibly get rid of all 8 digit numbers, right.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

And the numbers at the end, they follow some pattern? like have dot "." at the end or always are 7-8 digits?

0 Karma

axl88
Communicator

It is search result. I can't remove event data as I ll be getting it remotely.
I have two panels in dashboard,
User selection in "master view" would detail chosen value in "detail view".
I m on the step to detail logs for detail view.

Since JavaScript would come to play, I should create generic extracted field for each log that I can minimize the complexity in JavaScript.

My plan is to extract field with the pattern I desire above
and use it for a search that will come through JS perma-link.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You want to remove them from the event data itself or you want to remove them from just the search result?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...