- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Specific rex doesnt seem to work
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have 3 sets of drives that are listed differently by different systems.
FC SSD
SATAII SSD
Fibre Channel
SATAII
Really its just SATA, Fibre Channel & SSD & I'd like to group them as such.
I've tried many variations of
"Drive\sType:\s+(?<drive_tier>Fibre|SATAII\\s\\s|/SSD/)"
The above SHOULD work IMO. but it only lists the first 2. I've tried many
variations & either it finds the first 2 or lists all 4.
If I take out the \s\s on the plain SATA then it will group the SATA SSD's
with it- its not what I want but its the only grouping I've been able to
see with this. The 2 SATAII's seem to make this a little more difficult.
Anyone have any suggestions to try?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here you go:
"Drive Type: (?:SATAII |FC )*(?<drive_tier>Fibre|SATAII(?! SSD)|SSD)"
Results:
- Drive Type: SATAII SSD --> SSD
- Drive Type: SATAII --> SATAII
- Drive Type: Fibre Channel --> Fibre
- Drive Type: FC SSD --> SSD
There's no way to have it output an uppercase "FIBRE" as regexes only output what was in the original text.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here you go:
"Drive Type: (?:SATAII |FC )*(?<drive_tier>Fibre|SATAII(?! SSD)|SSD)"
Results:
- Drive Type: SATAII SSD --> SSD
- Drive Type: SATAII --> SATAII
- Drive Type: Fibre Channel --> Fibre
- Drive Type: FC SSD --> SSD
There's no way to have it output an uppercase "FIBRE" as regexes only output what was in the original text.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are you doing "\s" in one place and "\s" in another!
Why do you have "SATAII\s\s" when sometimes you have "SATAII" and sometimes "SATA SSD". Your regex will match either. You want: "...|SATAII|..."
It seems to be that what you REALLY want is just:
"Drive\sType:\s+(?
.+?)$"
Any DriveType until the newline.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SATAII & SATAII SSD are separate. I want those 2
Fibre SSD & SATAII SSD's to be grouped togather.
When I put in the \s\s it separated SATAII vs. SATA SSD.
I thought if I had |SSD that it would pickup anything
that had SSD in the string.. seems like a nice idea- but
it doesnt work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drive Type: FC SSD
Drive Type: Fibre Channel
Drive Type: SATAII
Drive Type: SATAII SSD
Above is exacltly the way they appear.
I'd like to just have 3 groups.
SATAII
SSD (the 2 SSD's combined)
FIBRE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could you post an example of some events that you'd like to apply the rex to so we can get an idea of the format for the events?
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
