How do I use only part of Source as legend?

yuanqi · ‎09-21-2012

I have the following search:
"avg tx =" | timechart max(tx) by source

Where Source is the filenames, for example:

\\server1\vdi\LOGS\PCoIPLogFiles\V30040016\pcoip_server_2012_09_14_0000045c.txt

The search works perfectly however the legends (same as the source) are too long.

I'd like to only take part of the "source" as legends, remove "\\server1\vdi\LOGS\PCoIPLogFiles\" and "\pcoip_server_2012_09_14_0000045c.txt", only leave the folder name "V300400xx" (I have many folders so I'm using xx to replace the actual number)

OR, I was thinking if I can create sourcetype using part of the source, meaning "V300400xx", and do the following search, it should also work.
"avg tx =" | timechart max(tx) by sourcetype

Is this possible? Thanks in advance.

Barry

yuanqi · ‎09-21-2012

I gave up trying the \'s and end up doing the following.

rex field=source "V(?< hostname>\w+)" | timechart max(tx) by hostname

I'm missing the first letter V of my hostnames but at least this works.

melting · ‎09-22-2012

try putting the "V" in the parens...

rex field=source "(?< hostname>V\w+)" | timechart max(tx) by hostname

bmacias84 · ‎09-21-2012

I would use rex or regex to create a new field for the segment you wish to use as your new source. Below is a sample, but the regex statement is incorrect. This would be the simplest if you don't to use a transform. Keep in mind there is a higher search cost when using this method, the transform would be more efficient.

... | rex field=source (?<scr>/[\w\d\s\.]+/[\w\d\s\.]+$)| ... | timechart max(tx) by scr

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/rex

Optionaly you could build a lookup table. Though I would use rex or a transform.

davecroto · ‎09-21-2012

What you really want to do is a transforms with a SOURCE_KEY, but that would be a bit more complicated.

davecroto · ‎09-21-2012

source="little.log" |search "avg tx=" |eval tx=6 |rex field=source "little(?\.\w+)" |timechart max(tx) by hostname

davecroto · ‎09-21-2012

It is hard to do without a sample event, but I think this is what you need now the legend should be the regex'd out portion of the source. Let me know if it works. 🙂

yuanqi · ‎09-21-2012

Tried the following and didn't work. Any suggestion?

"avg tx =" rex field=source "\\server1\vdi\LOGS\PCoIPLogFiles\(?<hostname>[^\]+)$" | timechart max(tx) by hostname

davecroto · ‎09-21-2012

I'm assuming the slashes are not there in your response because you didn't escape them 🙂

Just use a regex that works in the rex statement. As a test, does it work when you just do:

| rex field=source "\\server1\vdi\LOGS\PCoIPLogFiles\(?V30040016)"

Do you still get the error message?

yuanqi · ‎09-21-2012

Got error:
Error in 'rex' command: Encountered the following error while compiling the regex '\server1\vdi\LOGS\PCoIPLogFiles(?w+)': Regex: PCRE does not support \L, \l, \N{name}, \U, or \u

davecroto · ‎09-21-2012

edited this alot because I have to escape the \'s but I think you are just missing the "|" "pipe" between what you are searching for and the rex statement

davecroto · ‎09-21-2012

Q: you are searching for "avg tx ="

if so

"avg tx="|rex field=source "\\server1\vdi\LOGS\PCoIPLogFiles\\\\(?\w+)" |timechart....

davecroto · ‎09-21-2012

Use rex to create another field: rex field=source "/opt/log/(?[^/]+)$" and then use that field as the the "by"

yuanqi · ‎09-21-2012

I'm not familiar with rex, I tried the following and didn't work. Any suggestion?

"avg tx =" rex field=source "\server1\vdi\LOGS\PCoIPLogFiles(?[^]+)$" | timechart max(tx) by hostname

How do I use only part of Source as legend?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...