Hello all, a regex is needed that's way above my head:
I have a message field in the notable index that holds multiple space delimiter hostnames on a host down alert. I need to separate out these values for a timechart. A sample of what is in the message field for each notable is listed below. I will need to exclude everything after hosts= and everything before \ncount=144 and each hostname has space in between. I want to call the new field criticalhosts.
hosts=XXXXC01 XXXXC05 XXXXM86 \ncount=144
Once that's done, I will need to do a stats count to show how many hosts went down per day over a month. I tried it with stats delim=" " but I am missing the first and last values in the field due to the extra verbiage. Thanks for the help.
From SPL do it like this:
.. | makeresults | eval _raw="host=a b c d e \ncount=144"
| kv
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex "(?s)host=(?<host>[^\r\n=]+).*count=(?<count>\d+)"
| rex field=host mode=sed "s/\\\n.*$//"
| makemv host
| stats sum(count) AS downcount BY host
From SPL do it like this:
.. | makeresults | eval _raw="host=a b c d e \ncount=144"
| kv
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex "(?s)host=(?<host>[^\r\n=]+).*count=(?<count>\d+)"
| rex field=host mode=sed "s/\\\n.*$//"
| makemv host
| stats sum(count) AS downcount BY host
Would have never thought of that. Thanks for saving me time!