Extracting values (with rex) out of the last two e...

amatthes · ‎01-10-2020

Hey everbody

I have two different evens for the same file. I need to extract the latest values and concat it to one string.

File:
foo=bar
foo1=bar1
foo2=bar2
foo3=bar3

Event 1:
foo=new_bar
foo1=new_bar1

Event 2:
foo2=new_bar2
foo3=new_bar3

Output:
NEED1 NEED2
"" or "none" new_bar1
"new_bar2" "" or "none"

Expected string:
new_bar2 new_bar3

Is it possible?

Thanks for your help.

jarizeloyola · ‎01-10-2020

Im not sure if I parsed your question correctly but based from what I understand you want to get the 2 latest events and concat it with a string. Based from your given example your log is in key/field=value form so that is automatically extracted . If you want to get the latest values it is better to use stats, its a lot faster and efficient instead of using sort which is too intensive , sorting should always be in the last.

index=MY_INDEX sourcetype=my:source stats latest | stats latest(foo1) as foo1 latest(foo2) as foo2 | eval NEED1="new_".foo1 | eval NEED2="new_".foo2 | table NEED1 NEED2

Just incase you need a rex |rex field=_raw "fo(\w|\w\d+)\=(?<value>[a-z0-9].*)"

to4kawa · ‎01-10-2020

Various important points have disappeared.

please use code sample. 101010

Extracting values (with rex) out of the last two events and concat as one string?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!