- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to not display the source only as a Atmchk...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have source below:
/prod/app/atm/ATMCHKMI1a/logs/catalina.out
/prod/app/atm/ATMCHKMI2a/logs/catalina.out
/prod/app/atm/ATMFOTN1a/logs/catalina.out
/prod/app/atm/ATMFITNA2a/logs/catalina.out
/prod/app/atm/ATMATMASS1a/logs/catalina.out
/prod/app/atm/ATMATMASS2a/logs/catalina.out
I want the source to display only as an Atmchk1a for first and so on and not the entire path.
How to do it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think rex with capture groups would enable you to get the name and site efficiently:
| makeresults | eval source="/prod/app/atm/ATMCHKMI1a/logs/catalina.out"
| append [| makeresults | eval source="/prod/app/atm/ATMCHKMI2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFOTN1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFITNA2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS2a/logs/catalina.out"]
| rex field=source "^/([^/]+/){3}(?<name>[^/]+(?<site>[0-9]+)[^/]+?)/"
| eval site="site ".site
| table name site <other fields>
The regex looks for three path components before the extracted name, with site extracted as the last digits of the name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think rex with capture groups would enable you to get the name and site efficiently:
| makeresults | eval source="/prod/app/atm/ATMCHKMI1a/logs/catalina.out"
| append [| makeresults | eval source="/prod/app/atm/ATMCHKMI2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFOTN1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFITNA2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS2a/logs/catalina.out"]
| rex field=source "^/([^/]+/){3}(?<name>[^/]+(?<site>[0-9]+)[^/]+?)/"
| eval site="site ".site
| table name site <other fields>
The regex looks for three path components before the extracted name, with site extracted as the last digits of the name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Micahkemp,
It did not work,
We now have got the source as below from the full path which I wanted.
ATMatmasst1a
ATMatmasst2a
ATMatmasstportal1a
ATMcdprof1a
ATMcdprof2a
ATMchkimg1a
ATMchkimg2a
ATMchkimgclt1prod
ATMciv1a
ATMcmprspclt1prod
ATMcrdreissueclt1prod
ATMcusprof1a
ATMcusprof2a
ATMdepositjamclt1prod
ATMelgbacctflnkg1a
ATMelgbacctflnkg2a
ATMercpt1a
But now I want a table which which shows in a below manner
source site host starttime
where
ATMcusprof2a is site 2
ATMelgbacctflnkg1a is site 1
and so on.....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changed it to add the word "site" to the site field, and added in a table command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Micahkemp, appreciated your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI Micahkemp,
Can you please tell me good sites from where I can learn regex?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@abhi04,
https://regexone.com/ is also good site to start regex learning
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://regex101.com/ is a great site to test regexes. As for learning them, I'd have to defer to google on that one, as I don't have a recommendation handy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use rex in sed mode:
<base search>|rex field=source mode=sed "s/^\/[^\/]+\/[^\/]+\/[^\/]+\/(\w+).*/\1/"
OR simply use rex command:
<base search>|rex field=source "^\/[^\/]+\/[^\/]+\/[^\/]+\/(?<source>\w+)"
try this run anywhere search:
|makeresults|eval source="/prod/app/atm/ATMCHKMI1a/logs/catalina.out"|rex field=source mode=sed "s/^\/[^\/]+\/[^\/]+\/[^\/]+\/(\w+).*/\1/"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, It worked.
Also, if I want to separate into two site as well i.e. ATMCHKMI1a shows as site 1 and ATMCHKMI2a shows as site 2 and similarly for others. How to do that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes as @micahkemp suggested try this regex to get separate site name w.r.t. source name,
| rex field=source "^/([^/]+/){3}(?<source>[^/]+(?<site>[0-9]+)[^/]+?)/"
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
