- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: extract a string from source and table the lis...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have many sources/logfiles in a host like this:
/opt/ab/logs/abcd/apache/abcd-tcm.log
/opt/xy/logs/xyzz/apache/xyzz-tcm.log
/opt/pq/logs/xyzz/apache/pqrs-tcm.log
Im interested in extracting the third string of the log and I tried it via the below command to MyFieldName.
rex field=source "(\/opt\/.\/logs\/(?.)\/apache\/.)"
Now I want to table out these MyFieldName for a list of hosts. How can I achieve this?
ie. Host A might have MyFieldName 4 values.
Host B misht MyFieldName 3 values.
These MyFieldName can be common amongst the hosts.
Im not able to get this ont-to-many (server-to-MyFieldName values) Table.
When I try to dedup host OR MyFieldName with belwo search , it truncates the results.
index="capgm" sourcetype=tc host=* | rex field=source "(\/opt\/.\/logs\/(?.)\/apache\/.)" | where MyFieldName like "%%" | rename MyFieldName AS NewField, host AS SERVER | table NewField, SERVER | dedup NewField
I want something like this
HOST MyFieldName
A xyzz
abcd
B xyzz
pqrs
C xyzz
abcd
pqrs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
are you aware that your regular expression doesn't really extract a field?
This one should do the trick.
| rex field=source "\/opt\/[^\/]+?\/logs\/(?<myfield>[^\/]+?)\/"
An then do
| stats values(myfieldname) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
are you aware that your regular expression doesn't really extract a field?
This one should do the trick.
| rex field=source "\/opt\/[^\/]+?\/logs\/(?<myfield>[^\/]+?)\/"
An then do
| stats values(myfieldname) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @pyro_wood ,
Thankyou for the help..
My logfile sometimes contains like this
/opt/pq/logs/xyzz.backup1213/apache/pqrs-tcm.log
How can I modify the expression to extrat only xyzz without the the word that follow '.' operator? like in above example
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @samagar
like this \/opt\/[^\/]+?\/logs\/(?<myfield>\w+?)(?:\/|\.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Little bit hard to understand, but seems like you want to use the stats values function e.g.
... | stats values(myfieldname) by host
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
