Splunk Search

Eval string until character

TiagoMatos
Path Finder

Hello!

I'm having strings that are very specific. I'm trying to agregate them, so what I want is just to keep the string until "_@" appear. I don't understand yet Perl expression syntax. Can anyone help?

Thank you

Tags (2)
0 Karma

kristian_kolb
Ultra Champion
0 Karma

TiagoMatos
Path Finder

Ok, this allows me to count by those which don't have "@". Well I want to coun by them too you. I want ChangeCurrentObj@blabla1 and ChangeCurrentObj_@blabla2 and ChangeCurrentObj_@blabla3 to be rewritten as ChangeCurrentObj, and then count by them too

0 Karma

kristian_kolb
Ultra Champion

OK. once again.

You have a field called SWEMethod. It contains a long string, with a delimeter (_@) in the middle somewhere. You want to use everything before the delimeter for some reporting purposes. OK?

Use the field extraction methods shown to you, which will create a new field called 'X'. Then - use 'X' instead of 'SWEMethod' for the remainder of the query. It is that simple, e.g.

index=pt_app_siebel | rex field=SWEMethod "^(?<X>\w+)_@" | timechart span=5min count(X) values(X)

SWEMethod will still have its old (long) value, but that does not matter, since you're not using it.

TiagoMatos
Path Finder

I need replace because I want to use timechart count by SWEMethod, with SWEMethod aggregated you see?

0 Karma

lukejadamec
Super Champion

If you use rex to grab Only the left side, what do you think will remain on the right side?
Are you trying to remove the raw data?
Why do you think you need replace?

0 Karma

TiagoMatos
Path Finder

I can identify the "_@" elements, but I didn't yet figure out how to replace the right side with nothing, so rex is not enough

0 Karma

kristian_kolb
Ultra Champion

TiagaMatos: did you try what i outlined in comments #1, #3 and #6?

0 Karma

TiagoMatos
Path Finder

Kristian.kolb, that is exactly what I want. I want to use replace to keep left-side in the string. I need to identify those that have "_@" and ignore the right side of it

0 Karma

lcrielaa
Communicator

Your question isn't exactly clear. Could you perhaps give a bit of sample data and say what you want to skip and what you want to keep?

Assuming that Kristian's example is correct, you could use the following regex with a positive lookahead.
".*?(?=_@)"

In the example of "foo_@bar", the above regex would only select "foo" and ignore the "_@bar". You can use this regex in Splunk using the rex command.

edit: Based on your comment, I ran the following regex through Regexr (http://gskinner.com/RegExr/) for you:

(?<=^SWEMethod=).*?(?=_@)

Based on your sample, this will select only ChangeCurrentObj. This regex will only work if the data starts with "SWEMethod=". If this isn't the case, a poor man's replacement could be:

(?<=\w=).*?(?=_@)

but I recommend working it out further.

0 Karma

TiagoMatos
Path Finder

One Example is this one. The field is SWEMethod, so

SWEMethod=ChangeCurrentObj_@0*0*10*0*5*Group0*9*UIPropInd1*Y11*CxGroupName10*VII. VPN16*RequireMoreChild0*11*Parent Path9*1-CWMQIJW4*Type5*Group12*TemplateName23*eCfgGroupStandardJS.swt8*Selected1*N12*.MasterGroup17*VII. Fixo &amp"

What I want is to use replace to keep just "ChangeCurrentObj", and nothing more than that

0 Karma

kristian_kolb
Ultra Champion

left-side-to-keep_@right-side-to-skip

still confusing?

also, "^@" would require that the string/line starts with '@', which it does not.

/k

0 Karma

lukejadamec
Super Champion

I'm confused. First you say you "want is just to keep the string until "@" appear", then you say you "want to replace every character right to the "@" by nothing".

In my world, replace before @ by nothing means keep everything after @.

If you want to have both before and after the @, then rex both.

0 Karma

kristian_kolb
Ultra Champion

TiagoMatos: my suggestion creates a field called 'X' which contains the beginning of the SWEMethod up to _@. Use the field 'X' instead of 'SWEMethod' in the subsequent search commands.

lukejadamec: that would not work. The field does not start with '@'. And TiagoMatos want everything before _@

0 Karma

lukejadamec
Super Champion

Why don't you rex everything after the @?
rex field=SWEMethod "^
@(?.*)"

0 Karma

TiagoMatos
Path Finder

I want to replace every character right to the "_@" by nothing, so that it has to be eval with a replace

0 Karma

kristian_kolb
Ultra Champion

index=pt_app_siebel | rex field=SWEMethod "^(?<X>\w+)_@" | timechart etc etc blah blah

??

0 Karma

TiagoMatos
Path Finder

I have SWEMethods with values like this one:

ChangeCurrentObj_@0*0*10*0*5*Group0*9*UIPropInd1*Y11*CxGroupName10*VII. VPN16*RequireMoreChild0*11*Parent Path9*1-KR600AC4*Type5*Group12*TemplateName23*eCfgGroupStandardJS.swt8*Selected1*N12*.MasterGroup17*VII. Fixo &amp

I want to perform a count such as this:

I want to count by method, but everything after _@ is just a specification. So I want something like this:

index="pt_app_siebel" NOT error*| eval X =replace(SWEMethod, "^(\w+)_@.+$", "\1" ) | timechart usenull=F limit=0 span=1s count by SWEMethod | table SWEMethod

Hope it helps

0 Karma

kristian_kolb
Ultra Champion

please provide a few sample events. This could be a start;

rex field=my_long_string "(?<new_field>.+?)_@"

/k

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...