Execute regex based on condition

vaishnavi07 · ‎06-13-2014

I have to display the counters starting with # and also % if the sourcetype is "PerfmonMk:.Net CLR Exceptions" and for other sourcetype(PerfmonMk:Processor) i have to display the counters starting with % only. I use the following regex commands,

Counters starting with # and % : |  regex column="#[_A-Za-z]*|%[_A-Za-z]*"
Counters starting with % : |  regex column="%[_A-Za-z]*"

Is there any way to do this?

grijhwani · ‎06-13-2014

Just construct the one regex to match all your cases. I can't see what the issue is with matching [#%][_A-Za-z]* (which is just a contraction of your first example regex). If hash is never present, what's the big deal? The regex will still match.

aweitzman · ‎06-16-2014

OK, I think I misunderstood your question initially, and my first suggestion isn't really valid. But the second one should help a bit:

sourcetype="PerfmonMk:Processor" | table sourcetype %* | append [search sourcetype="PerfmonMk:.Net CLR Exceptions" | table #* %*]

The problem with field names is that they can only be referred to by wildcards, not by regex. Hopefully this will work well enough for you.

vaishnavi07 · ‎06-16-2014

Hi Can you please give me an example?

aweitzman · ‎06-13-2014

You could use the single regex as described, and then use a 'where' clause to eliminate the events you don't want.
You could run two different searches with your two different regexes and use 'append' to turn them into a single result set.

vaishnavi07 · ‎06-13-2014

If i write single regex command and select sourcetype as "PerfmonMk:Processor" then the counters starting with # will get displayed. I don't need that. Only if i select the sourcetype "PerfmonMk:.Net CLR Exceptions" the counters that starts with # should get displayed.

Execute regex based on condition

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor