Hi everyone,
I want to extract a record of values:
I tried with this regex, but it is only extracting the first record:
rex "\s+(?P\S+)\s+(?P\d+)\s+(?P\d+\.\d+)\s+(?P\d+\.\d+)\s+(?P\d+)\s+(?P\d+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)"
I need your help. The following is my sample data:
"================================================================ "
"98 Processes at: 2015-04-08T19:14:13.270 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 19488 1632 ? Ss Mar04 0:01 /sbin/init root 2 0.0 0.0 0 0 ? S Mar04 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S Mar04 0:18 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/0:0H] root 7 0.0 0.0 0 0 ? S Mar04 1:35 [rcu_sched] root 8 0.0 0.0 0 0 ? S Mar04 0:00 [rcu_bh] root 9 0.0 0.0 0 0 ? S Mar04 0:01 [migration/0] root 10 0.0 0.0 0 0 ? S Mar04 0:01 [migration/1] root 11 0.0 0.0 0 0 ? S Mar04 0:18 [ksoftirqd/1] root 13 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/1:0H] root 14 0.0 0.0 0 0 ? S Mar04 0:04 [migration/2] root 15 0.0 0.0 0 0 ? S Mar04 0:03 [ksoftirqd/2] root 17 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/2:0H] root 18 0.0 0.0 0 0 ? S Mar04 0:05 [migration/3] root 19 0.0 0.0 0 0 ? S Mar04 0:04 [ksoftirqd/3] root 21 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/3:0H] root 22 0.0 0.0 0 0 ? S< Mar04 0:00 [khelper]
"================================================================ "
I need to extract from this sample data all the following fields for each record:
USER
PID
%CPU
%MEM
VSZ
RSS
TTY
STAT
START
TIME
COMMAND
for example the first and the 2nd record should be:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 19488 1632 ? Ss Mar04 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S Mar04 0:00 [kthreadd]
THANKS
If you check out the doc on the rex command you'll see that max_match= Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
try like this:
...| rex max_match=0 field=_raw "\s+(?P<User>\S+)\s+(?P<Pid>\d+)\s+(?P<Cpu>\d+\.\d+)\s+(?P<Mem>\d+\.\d+)\s+(?P<Vsz>\d+)\s+(?P<Rss>\d+)\s+(?P<Tty>\S+)\s+(?P<Stat>\S+)\s+(?P<Start>\S+)\s+(?P<Time>\S+)\s+(?P<Command>\S+)" |...
If you check out the doc on the rex command you'll see that max_match= Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
try like this:
...| rex max_match=0 field=_raw "\s+(?P<User>\S+)\s+(?P<Pid>\d+)\s+(?P<Cpu>\d+\.\d+)\s+(?P<Mem>\d+\.\d+)\s+(?P<Vsz>\d+)\s+(?P<Rss>\d+)\s+(?P<Tty>\S+)\s+(?P<Stat>\S+)\s+(?P<Start>\S+)\s+(?P<Time>\S+)\s+(?P<Command>\S+)" |...