Splunk Search

filed Extraction using regex in a query?

kalyanilandge
New Member

Hi Team,

I have data like below:

\launching VM
Initializing Wed 2017-01-04 02:22:48
Going-stop Wed 2017-01-04 02:23:16
stop Wed 2017-01-04 02:23:17
Going-Start Wed 2017-01-04 02:23:17
Start Wed 2017-01-04 02:23:17

I want to find the lastest status of a particular host.
How to grep the first field and show it as a status?
The status is changing for every minute so the dahsboard should show the current status of the particular host.
Any help is appreciated.

Tags (1)
0 Karma

gokadroid
Motivator

It will require two adjustments:

  • Exclude events in query
  • Changing refresh interval of the query to get you the real-time view.

If you don't want launching VM you can exclude that in your base query like:

index=yourIndex sourectype=yourSourcetype NOT(launching VM)
| rex "^(?<status>[^\s]+) | stats latest(status) by host

For the part to get the latest realtime results you can either use real time search or the refresh option of the query, panel or dashboard. See here:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Aboutrealtimesearches
https://answers.splunk.com/answers/483783/define-refresh-interval-for-formdashboard.html#answer-4840...

0 Karma

kalyanilandge
New Member

Thank you for you answers it is helpful, but it is giving the result \launching VM as well.
I want output like this :

Host Status
A Start
B Stop
C Start

The example which I have given is a single event for only one Host.I dont want \launching.I just want last line of the event for one host and grep whether it is start or stop.The number of lines in the event is not fixed.Status is always changing.The current status i need to display in the dashboard.

0 Karma

zshainsky
Splunk Employee
Splunk Employee

Can you post a more descriptive example of your log format and desired output. In your first example, you say that you only listed a single event for one Host. Does that mean these are multi line events?

0 Karma

jplumsdaine22
Influencer

Assuming each line is a single event (ie _raw="Initializing Wed 2017-01-04 02:22:48") Then the following should get you started:

... <your search> | rex "^(?<status>[^\s]+) | stats latest(status) by host
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...