How do I evaluate on column in space and tab delim...

HelloItsMe76 · ‎05-17-2023

Hello all.

I have a log file that looks like this;

PROCESS UP STATUS RESTARTS AGE
PROCESS1 2/2 Running 0 6d19h
PROCESS2aaa 2/2 Completed 0 7d6h
PROCESS3 0/1 Running 6 6d19h

I am trying to evaluate on the RESTART colum. The length of the process name is not consistent and some files are tab delimited and some are space delimited.

I cant get my rex command to work. Any help would be very appreciated.

ITWhisperer · ‎05-17-2023

Try something like this

| rex "(?<PROCESS>\S+)\s+(?<UP>\S+)\s+(?<STATUS>\S+)\s+(?<RESTARTS>\S+)\s+(?<AGE>\S+)"

HelloItsMe76 · ‎05-22-2023

Hey, thanks for the reply. that basically just returns whats already there. I would like to show the data as a table and be able to filter and return rows where, for example, AGE <2. At the moment it doesnt seem to recognise that data as a table and hence i cant filter on AGE, or other columns.

ITWhisperer · ‎05-22-2023

If the rex is not extracting the fields (which would be shown as columns in a table), then the rex expression (based on your sample data) does not match your real data.

Please provide an accurate representation of your actual event data, preferably in a code block </> to reduce formatting corruption.

How do I evaluate on column in space and tab delimited logs?

rex

table

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?