Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Easier way to search a stanza?

clintla
Contributor
‎07-30-2013 12:50 PM

Trying to parse out a set of stanza

Node 1

Device 1 Healthy
Device 2 Healthy
Device 3 Healthy

Node 2

Device 1 Healthy
Device 2 Healthy
Device 3 Healthy

Node 3

Device 1 Healthy
Device 2 FAULT
Device 3 Healthy

If I linebreak on "Node\s+\n+" I just regex the first device status (healthy or not) it only takes the first line when I search so I dont get an acurate device number fault or whatever the status is. No way to apply regex to other parts of the line if they apply?

If I dont linebreak then I dont get the node number.

What are some other ways to look at this? Is there something I can do w/ a transaction to capture the last "Node" prior to something not healthy?

Seems like there should be an easy way to do this.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Gilberto_Castil
Splunk Employee
Splunk Employee
‎07-30-2013 07:43 PM

Just so that we are on the same level of understanding, the assumption here is that the data is broken in such a way that a Node and its Devices reflect a single, multi-line message. This is the line breaker that I used to ensure that assumption in this test.

#props.conf
[answers-1375232025]
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\r\n]+)Node\s\d+

Now the data set contains three events, one for each Node and its related Devices.

alt text

At this point you will want to extract the Node so it can be associated with the message.

| rex "(?<node>Node\s\d+)"

alt text

Because the Device identity and status is part of a single event, it is not possible to isolate the interesting status by itself. We need to break this up into single lines. Notice how the Node identity is preserved

| multikv noheader=t

alt text

You are now ready to extract the Device identity and status.

| rex "(?<device>Device\s+\d+)\s+(?<status>\w+)"

alt text

At this stage you can isolate those devices that are not in healthy state.

| search status="*" NOT status="Healthy"

alt text

And, finally, prettify the result with a simple table.

| stats list(device) AS device list(status) AS status by node

alt text

All together, the search looks like this:

index=test sourcetype="answers-1375232025" 
| rex "(?<node>Node\s\d+)" 
| multikv noheader=t 
| rex "(?<device>Device\s+\d+)\s+(?<status>\w+)" 
| search status="*" NOT status="Healthy" 
| stats list(device) AS device list(status) AS status by node

I hope this helps.

--
gc

View solution in original post

Reply
Solved! Jump to solution
Solution

Gilberto_Castil
Splunk Employee
Splunk Employee
‎07-30-2013 07:43 PM

Just so that we are on the same level of understanding, the assumption here is that the data is broken in such a way that a Node and its Devices reflect a single, multi-line message. This is the line breaker that I used to ensure that assumption in this test.

#props.conf
[answers-1375232025]
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\r\n]+)Node\s\d+

Now the data set contains three events, one for each Node and its related Devices.

alt text

At this point you will want to extract the Node so it can be associated with the message.

| rex "(?<node>Node\s\d+)"

alt text

Because the Device identity and status is part of a single event, it is not possible to isolate the interesting status by itself. We need to break this up into single lines. Notice how the Node identity is preserved

| multikv noheader=t

alt text

You are now ready to extract the Device identity and status.

| rex "(?<device>Device\s+\d+)\s+(?<status>\w+)"

alt text

At this stage you can isolate those devices that are not in healthy state.

| search status="*" NOT status="Healthy"

alt text

And, finally, prettify the result with a simple table.

| stats list(device) AS device list(status) AS status by node

alt text

All together, the search looks like this:

index=test sourcetype="answers-1375232025" 
| rex "(?<node>Node\s\d+)" 
| multikv noheader=t 
| rex "(?<device>Device\s+\d+)\s+(?<status>\w+)" 
| search status="*" NOT status="Healthy" 
| stats list(device) AS device list(status) AS status by node

I hope this helps.

--
gc

Reply
Solved! Jump to solution

clintla
Contributor
‎08-01-2013 11:50 AM

worked nicely.. need to learn more about
| multikv noheader=t
Probably the most thorough answer I've seen on Answers!

THANKS!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...