Splunk Search

How do I edit my search to find certain strings in my data and replace them with other strings?

splunkman341
Communicator

Hi guys,

I have this specific search that I want to edit:

index="tablet_os" sourcetype="df" host=dc1* sda3 OR Data| multikv fields FileSystem, UsePct  | strcat host '@' Filesystem Host_FileSystem  | timechart span=60m avg(UsePct) by Host_FileSystem  | rename avg(UsePct) as %Used

and currently, it displays a graph with certain information. What I want to edit is as follows:

dc1prmtbap01/dev/mapper/localraid-Data TO BE CHANGED TO dc1prmtbap01 /data

dc1prmtbap01 /dev/sda3 TO BE CHANGED TO dc1prmtbap01/root

Sorry for the lack of clarity, but if you need me to further explain something, please don't hesitate to ask. Thanks in advance for your help.

0 Karma
1 Solution

maciep
Champion

I'm assuming those are in the Host_FileSystem field, so maybe something like this (untested)

 index="tablet_os" sourcetype="df" host=dc1* sda3 OR Data
 | multikv fields FileSystem, UsePct  
 | strcat host '@' Filesystem Host_FileSystem
 | eval Host_FileSystem = case(Host_FileSystem = "dc1prmtbap01/dev/mapper/localraid-Data","dc1prmtbap01 /data",Host_FileSystem = "dc1prmtbap01 /dev/sda3","dc1prmtbap01/root",1=1,Host_FileSystem)
 | timechart span=60m avg(UsePct) by Host_FileSystem  
 | rename avg(UsePct) as %Used

View solution in original post

0 Karma

maciep
Champion

I'm assuming those are in the Host_FileSystem field, so maybe something like this (untested)

 index="tablet_os" sourcetype="df" host=dc1* sda3 OR Data
 | multikv fields FileSystem, UsePct  
 | strcat host '@' Filesystem Host_FileSystem
 | eval Host_FileSystem = case(Host_FileSystem = "dc1prmtbap01/dev/mapper/localraid-Data","dc1prmtbap01 /data",Host_FileSystem = "dc1prmtbap01 /dev/sda3","dc1prmtbap01/root",1=1,Host_FileSystem)
 | timechart span=60m avg(UsePct) by Host_FileSystem  
 | rename avg(UsePct) as %Used
0 Karma

splunkman341
Communicator

Hey maciep and thanks for you're anwser. It modified it for the first bars, but the rest are still in the long form.

0 Karma

maciep
Champion

Ok, you only mentioned those two initially. It's kind of hard to give you a better idea of how to make a similar change for everything without seeing all of your data. Are the short forms available anywhere in your events or are they just something you know them as? Do you have an exhaustive list of mappings long names to short names? Or is there a pattern that can be applied to the long names to come up with the short names?

We're flying kinda blind here 🙂

0 Karma

splunkman341
Communicator

I am sorry, i forgot to mention its for servers 02, 03, and 04. Would I just take your example and create several more cases or is there a shorter way to do it?

0 Karma

maciep
Champion

if the paths are the same, then this might work. But hardcoding the case statements for 4 servers isn't too bad either.

The idea would be to grab the host part of the Host_FileSystem field. Then change your case to match on the path minus the host info. Then depending on which path matches, either /data or /root to the host we grabbed earlier.

But in general, there are probably a few different ways to tackles something like this. And the better you understand the data, the more options you'll likely have.

Again, not tested at all...

 index="tablet_os" sourcetype="df" host=dc1* sda3 OR Data
 | multikv fields FileSystem, UsePct  
 | strcat host '@' Filesystem Host_FileSystem
 | rex field=Host_FileSystem "(?<path_host>[^/]+)"
  | eval Host_FileSystem = case(match(Host_FileSystem,"dev/mapper/localraid-Data"),path_host."/data",match(Host_FileSystem,"dev/sda3"),path_host."/root",1=1,Host_FileSystem)
 | timechart span=60m avg(UsePct) by Host_FileSystem  
 | rename avg(UsePct) as %Use

splunkman341
Communicator

Yes the paths are the same. That worked really well, except I forgot to mention there is also an 05, but the strange thing is it worked for /root but not for dc1prmtbap05/dev/mapper/localraid-Data.

It also did not change dc1prmtbap04/dev/mapper/localraid-Data to be just /data. Other then those two everything else worked great!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...