Hi,
right now I am having trouble exluding characters like "/, :, 0-9" from my search. I want those excluded
I think best would be to look at the end of the name and if there is a "_" or a "/" then cut that and everything behind it so I can count the services for each host.
-bash
[aio/0]
[aio/1]
[aio/2]
[aio/3]
[async/mgr]
[ata/0]
[ata/1]
[ata/2]
[ata/3]
[ata_aux]
[bdi-default]
[bond0]
[cpuset]
[crypto/0]
[crypto/1]
[crypto/2]
[crypto/3]
What I want to see for example is "[aio]" and this search worked but I can't figure out how to add more characters to it.
sourcetype=ps OR sourcetype=top COMMAND | multikv | makemv delim="/" COMMAND
Can anyone help me here?
Thanks in advance and best regards
Mike
:::::::::::::::UPDATE:::::::::::::::
I made something that worked to a certain point (I'll get to that later) but is probably inefficient and not 100% the solution.
sourcetype=top COMMAND | multikv | rex field=COMMAND "^(?.+?)\/" | makemv delim="[" COMMAND | eval new_command = replace(COMMAND,"]","") | stats count by new_command
This seach lacks the ability to cut off two characters,
Well, I think I found another workaround. I just replaced the "/" of the first rex with a "_" in the second rex command. Don't know if this can be done more efficient. But so far the result seems to be good.
sourcetype=top COMMAND |
multikv |
rex field=COMMAND "^(?.+?)\/" |
rex field=COMMAND "^(?.+?)_" |
stats count by COMMAND |
dedup COMMAND
Well, I think I found another workaround. I just replaced the "/" of the first rex with a "_" in the second rex command. Don't know if this can be done more efficient. But so far the result seems to be good.
sourcetype=top COMMAND |
multikv |
rex field=COMMAND "^(?.+?)\/" |
rex field=COMMAND "^(?.+?)_" |
stats count by COMMAND |
dedup COMMAND
Try using "rex" command this way:
sourcetype=ps OR sourcetype=top COMMAND | rex field=process mode=sed "s#/\d+\]#\]#" | chart count by process host
to obtain what you asked, assuming that "process" is the field already extracted from this sourcetype. Otherwise, add this "rex" before the other one:
rex field=_raw "\[(?<process>\S+)\]"
Regards,
Stefano
Yes, the backslashes are in place. Somehow I pasted the wrong code. This is the correct one.
sourcetype=ps OR sourcetype=top COMMAND | rex field=_raw "[(?
Yes, a new field named "process" appeared.
But still no luck and for some reason it only shows me three process names.
Are you putting \ (backslashes) where I put them, right? Running my search, does a new field named "process" appear on the left?
Also, last tip: you want to count by host, so substitute "chart count by process host" with "stats count by host". Try this and let me know 🙂
thanks Stefano! process has not yet been extracted.
I tried the following:
sourcetype=ps OR sourcetype=top COMMAND | rex field=_raw "[(?\S+)]" | rex field=process mode=sed "s#/\d+]#]#" | chart count by process host
I think best would be to look at the end of the name and if there is a "_" or a "/" then cut that and everything behind it.