Hello!
I'm having strings that are very specific. I'm trying to agregate them, so what I want is just to keep the string until "_@" appear. I don't understand yet Perl expression syntax. Can anyone help?
Thank you
Perhaps I can refer you to some pieces of the documentation that might prove useful.
http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/Usefieldstosearch
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutfields
/K
Ok, this allows me to count by those which don't have "@". Well I want to coun by them too you. I want ChangeCurrentObj@blabla1 and ChangeCurrentObj_@blabla2 and ChangeCurrentObj_@blabla3 to be rewritten as ChangeCurrentObj, and then count by them too
OK. once again.
You have a field called SWEMethod. It contains a long string, with a delimeter (_@
) in the middle somewhere. You want to use everything before the delimeter for some reporting purposes. OK?
Use the field extraction methods shown to you, which will create a new field called 'X'. Then - use 'X' instead of 'SWEMethod' for the remainder of the query. It is that simple, e.g.
index=pt_app_siebel | rex field=SWEMethod "^(?<X>\w+)_@" | timechart span=5min count(X) values(X)
SWEMethod will still have its old (long) value, but that does not matter, since you're not using it.
I need replace because I want to use timechart count by SWEMethod, with SWEMethod aggregated you see?
If you use rex to grab Only the left side, what do you think will remain on the right side?
Are you trying to remove the raw data?
Why do you think you need replace?
I can identify the "_@" elements, but I didn't yet figure out how to replace the right side with nothing, so rex is not enough
TiagaMatos: did you try what i outlined in comments #1, #3 and #6?
Kristian.kolb, that is exactly what I want. I want to use replace to keep left-side in the string. I need to identify those that have "_@" and ignore the right side of it
Your question isn't exactly clear. Could you perhaps give a bit of sample data and say what you want to skip and what you want to keep?
Assuming that Kristian's example is correct, you could use the following regex with a positive lookahead.
".*?(?=_@)"
In the example of "foo_@bar", the above regex would only select "foo" and ignore the "_@bar". You can use this regex in Splunk using the rex command.
edit: Based on your comment, I ran the following regex through Regexr (http://gskinner.com/RegExr/) for you:
(?<=^SWEMethod=).*?(?=_@)
Based on your sample, this will select only ChangeCurrentObj. This regex will only work if the data starts with "SWEMethod=". If this isn't the case, a poor man's replacement could be:
(?<=\w=).*?(?=_@)
but I recommend working it out further.
One Example is this one. The field is SWEMethod, so
SWEMethod=ChangeCurrentObj_@0*0*10*0*5*Group0*9*UIPropInd1*Y11*CxGroupName10*VII. VPN16*RequireMoreChild0*11*Parent Path9*1-CWMQIJW4*Type5*Group12*TemplateName23*eCfgGroupStandardJS.swt8*Selected1*N12*.MasterGroup17*VII. Fixo &"
What I want is to use replace to keep just "ChangeCurrentObj", and nothing more than that
left-side-to-keep_@right-side-to-skip
still confusing?
also, "^@
" would require that the string/line starts with '@', which it does not.
/k
I'm confused. First you say you "want is just to keep the string until "@" appear", then you say you "want to replace every character right to the "@" by nothing".
In my world, replace before @ by nothing means keep everything after @.
If you want to have both before and after the @, then rex both.
TiagoMatos: my suggestion creates a field called 'X' which contains the beginning of the SWEMethod up to _@
. Use the field 'X' instead of 'SWEMethod' in the subsequent search commands.
lukejadamec: that would not work. The field does not start with '@'. And TiagoMatos want everything before _@
Why don't you rex everything after the @?
rex field=SWEMethod "^@(?
I want to replace every character right to the "_@" by nothing, so that it has to be eval with a replace
index=pt_app_siebel | rex field=SWEMethod "^(?<X>\w+)_@" | timechart etc etc blah blah
??
I have SWEMethods with values like this one:
ChangeCurrentObj_@0*0*10*0*5*Group0*9*UIPropInd1*Y11*CxGroupName10*VII. VPN16*RequireMoreChild0*11*Parent Path9*1-KR600AC4*Type5*Group12*TemplateName23*eCfgGroupStandardJS.swt8*Selected1*N12*.MasterGroup17*VII. Fixo &
I want to perform a count such as this:
I want to count by method, but everything after _@
is just a specification. So I want something like this:
index="pt_app_siebel" NOT error*| eval X =replace(SWEMethod, "^(\w+)_@.+$", "\1" ) | timechart usenull=F limit=0 span=1s count by SWEMethod | table SWEMethod
Hope it helps
please provide a few sample events. This could be a start;
rex field=my_long_string "(?<new_field>.+?)_@"
/k