Solved: Exclude characters within a field

lemikg · ‎02-08-2013

Hi,

right now I am having trouble exluding characters like "/, :, 0-9" from my search. ~~I want those excluded~~

I think best would be to look at the end of the name and if there is a "_" or a "/" then cut that and everything behind it so I can count the services for each host.

-bash
[aio/0]
[aio/1]
[aio/2]
[aio/3]
[async/mgr]
[ata/0]
[ata/1]
[ata/2]
[ata/3]
[ata_aux]
[bdi-default]
[bond0]
[cpuset]
[crypto/0]
[crypto/1]
[crypto/2]
[crypto/3]

What I want to see for example is "[aio]" and this search worked but I can't figure out how to add more characters to it.

sourcetype=ps OR sourcetype=top COMMAND | multikv | makemv delim="/" COMMAND

Can anyone help me here?

Thanks in advance and best regards
Mike

:::::::::::::::UPDATE:::::::::::::::
I made something that worked to a certain point (I'll get to that later) but is probably inefficient and not 100% the solution.

sourcetype=top COMMAND | multikv | rex field=COMMAND "^(?.+?)\/" | makemv delim="[" COMMAND | eval new_command = replace(COMMAND,"]","") | stats count by new_command

This seach lacks the ability to cut off two characters,

"_"
a number

lemikg · ‎02-12-2013

Well, I think I found another workaround. I just replaced the "/" of the first rex with a "_" in the second rex command. Don't know if this can be done more efficient. But so far the result seems to be good.

sourcetype=top COMMAND | 

multikv | 

rex field=COMMAND "^(?.+?)\/" | 

rex field=COMMAND "^(?.+?)_" | 

stats count by COMMAND | 

dedup COMMAND

View solution in original post

lemikg · ‎02-12-2013

Well, I think I found another workaround. I just replaced the "/" of the first rex with a "_" in the second rex command. Don't know if this can be done more efficient. But so far the result seems to be good.

sourcetype=top COMMAND | 

multikv | 

rex field=COMMAND "^(?.+?)\/" | 

rex field=COMMAND "^(?.+?)_" | 

stats count by COMMAND | 

dedup COMMAND

stefano_guidoba · ‎02-08-2013

Try using "rex" command this way:

sourcetype=ps OR sourcetype=top COMMAND | rex field=process mode=sed "s#/\d+\]#\]#" | chart count by process host

to obtain what you asked, assuming that "process" is the field already extracted from this sourcetype. Otherwise, add this "rex" before the other one:

rex field=_raw "\[(?<process>\S+)\]"

Regards,
Stefano

lemikg · ‎02-12-2013

Yes, the backslashes are in place. Somehow I pasted the wrong code. This is the correct one.
sourcetype=ps OR sourcetype=top COMMAND | rex field=_raw "[(?\S+)]" | rex field=process mode=sed "s#/\d+]#]#" | stats count by process

Yes, a new field named "process" appeared.

But still no luck and for some reason it only shows me three process names.

stefano_guidoba · ‎02-12-2013

Are you putting \ (backslashes) where I put them, right? Running my search, does a new field named "process" appear on the left?
Also, last tip: you want to count by host, so substitute "chart count by process host" with "stats count by host". Try this and let me know 🙂

lemikg · ‎02-12-2013

thanks Stefano! process has not yet been extracted.

I tried the following:

sourcetype=ps OR sourcetype=top COMMAND | rex field=_raw "[(?\S+)]" | rex field=process mode=sed "s#/\d+]#]#" | chart count by process host

But it isn't what I expected.

I think best would be to look at the end of the name and if there is a "_" or a "/" then cut that and everything behind it.

Exclude characters within a field

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes