Hi Guys,
Need a help. I have two types of logs.
nwfin1swt2 : 2015 Jul 27 23:01:29 CDT: %SATCTRL-FEX101-2-SATCTRL: FEX-101 Module 1: Cold boot
nwfin2sw1001 26: Jul 27 15:58:36.267: %SYS-CFC7-5-RESTART: System restarted -
i created a query to list these logs in a table format...
*swt* "cold boot" OR "system restarted" | rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)" | eval state=coldboot+restart | table host, state, _time
trying to bring the both results in the column called state with "eval state=coldboot+restart". im not getting in the column state. please help me to sort this out.
host state _time
nwfin1swt2 2015-07-27 23:01:29
nwfin2sw1001 2015-07-27 15:58:36.267
Try this
*swt* "cold boot" OR "system restarted" | rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)" | eval state=coalesce(coldboot,"")+coalesce(restart,"") | table host, state, _time
Since both the fields appear in different events, one will have null value when other is not null. The coalesce command will take the first not null value (so null value for coldboot and restart will be replaced by empty string) and the concatenation would work fine.
Try this
*swt* "cold boot" OR "system restarted" | rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)" | eval state=coalesce(coldboot,"")+coalesce(restart,"") | table host, state, _time
Since both the fields appear in different events, one will have null value when other is not null. The coalesce command will take the first not null value (so null value for coldboot and restart will be replaced by empty string) and the concatenation would work fine.
thanks a lot. it worked..... 🙂 awesome...
thanks again,
What does *swt* "cold boot" OR "system restarted"
imply?
Would this method be possible to use with two fields where the regex is replaced by getting data directly from a value?
yes.. this will give the raw results which contains the words cold boot and system restarted.. like below
nwfin1swt2 : 2015 Jul 27 23:01:29 CDT: %SATCTRL-FEX101-2-SATCTRL: FEX-101 Module 1: Cold boot
nwfin2sw1001 26: Jul 27 15:58:36.267: %SYS-CFC7-5-RESTART: System restarted -
Hi,
I believe you have to give space after the field names in eval expression.
swt "cold boot" OR "system restarted" | rex "(?i) Module 1: (?w+s+w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?w+s+w+)" | eval state= coldboot + restart | table host, state, _time
-Krishna Rajapantula.
Hi,
I'm not sure why it isnot working for you. I have tested this in my environment. Did you try in your eval expression eval state= field1 + field2? space between field1, + and field2?
-Krishna Rajapantula
yes krishna... tried the same and used . as well... donno y... still searching....
Hi Krishna...
thanks... i tried.. but no output 😞
Hi,
I believe you have to give space after the field names in eval expression.
swt "cold boot" OR "system restarted" | rex "(?i) Module 1: (?w+s+w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?w+s+w+)" | eval state= coldboot + restart | table host, state, _time
-Krishna Rajapantula.
I assume that you are trying to concatenate the fields "coldboot" and "restart" in the field "state" in that case you need to use a "." and not a "+" to get them both in "state". Now you are trying to count them.
Hi aholze,
thanks for the reply.
yes. i tried that as well. eval state = coldboot.restart
still its not working.
i tried state = coldboot." ".restart as well.. no results....
do you get any data if you try them individually?
.... | table host coldboot restart _time
and just to be sure you could add the "field=_raw" parameter to the rex command:
... | rex field=_raw "YOUR REGEX HERE"
yes... i'm getting results if i use seperately...concatenation is not working.
aaaa I think I see it.. in your regex you forgot the slash in front of w+ and s+ so that gives you empty fields.. I tested and this should work:
swt "cold boot" OR "system restarted"
| rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)"
| rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)"
| eval state=coldboot." ".restart
| table host, state, _time
Hi Aholzel,
the same script only i used earlier.
eventtype = net swt "cold boot" OR "system restarted"
| rex "(?i) Module 1: (?P\w+\s+\w+)"
| rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?P\w+\s+\w+)"
| eval state=coldboot." ".restart
| table host, state, _time
where did i miss "".. please let me know. thanks.
if i display coldboot and restart seperately, im getting results.
I see the slash is then probably only missing here because you didn't put everything in a code sample block.
I did this query to test and then everything is working:
index=* earliest=-10s@s
| eval colddata="nwfin1swt2 : 2015 Jul 27 23:01:29 CDT: %SATCTRL-FEX101-2-SATCTRL: FEX-101 Module 1: Cold boot"
| eval restartdata="nwfin2sw1001 26: Jul 27 15:58:36.267: %SYS-CFC7-5-RESTART: System restarted -"
| rex field=colddata "(?i) Module 1: (?<coldboot>\w+\s+\w+)"
| rex field=restartdata "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)"
| eval status=coldboot." ".restart
| table coldboot restart status
Can you test if that is also working in your environment I did this in Splunk 6.2.3
Hi aholzel,
its listing all devices, and all results getting filled with same results. please check the below logs for your reference.
host coldboot restart status
lb01b Cold boot System restarted Cold boot System restarted
lb01b Cold boot System restarted Cold boot System restarted
lb01b Cold boot System restarted Cold boot System restarted