https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109622#M7779 <P>Thank you ....</P> <P>Yes... It is working fine</P> <P>can we concatenate that domain &amp; status together? </P> Wed, 13 May 2015 16:16:08 GMT marees123 2015-05-13T16:16:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109618#M7775 <P>Hi Experts,</P> <P>i'm getting the below output in my search (index=LB example.domain.com* "monitor status *")</P> <P>May 4 20:16:05 netloadBalance_1a notice mcpd[7457]: 01070727:5: Pool /Common/example.domain.com member /Common/192.168.2.24:443 monitor status up. [ /Common/tcp_443: up ] [ was up for 55hrs:23mins:26sec ]</P> <P>i would like to get the output like </P> <P>example.domain.com 192.168.2.24:443 monitor status up</P> <P>please advise</P> Wed, 13 May 2015 14:29:14 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109618#M7775 marees123 2015-05-13T14:29:14Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109619#M7776 <P>This should do the trick.</P> <PRE><CODE>index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P&lt;domain&gt;[^ ]+).*\/(?P&lt;status&gt;[\d\.:]+ monitor status \w+\.)" | table domain status </CODE></PRE> <P>Replace <CODE>"&amp;lt;"</CODE> and <CODE>"&amp;gt;"</CODE> with "&lt;" and "&gt;", respectively.</P> Wed, 13 May 2015 15:12:34 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109619#M7776 richgalloway 2015-05-13T15:12:34Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109620#M7777 <P>Thank you Richgalloway,</P> <P>im getting the second output... 192.168.2.24:443 monitor status up</P> <P>need to get the first output also which is the url name, like....</P> <P>example.domain.com 192.168.2.24:443 monitor status up</P> Wed, 13 May 2015 15:54:07 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109620#M7777 marees123 2015-05-13T15:54:07Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109621#M7778 <P>I've updated my answer. You may need to adjust the regex depending on if "/Common/" is a fixed string or not.</P> Wed, 13 May 2015 16:07:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109621#M7778 richgalloway 2015-05-13T16:07:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109622#M7779 <P>Thank you ....</P> <P>Yes... It is working fine</P> <P>can we concatenate that domain &amp; status together? </P> Wed, 13 May 2015 16:16:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109622#M7779 marees123 2015-05-13T16:16:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109623#M7780 <P>Certainly. Just use an eval like this <CODE>eval foo=domain+" "+status</CODE></P> Wed, 13 May 2015 16:18:38 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109623#M7780 richgalloway 2015-05-13T16:18:38Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109624#M7781 <P>Sorry Richgalloway... </P> <P>where do i need to insert this command... i'm poor in quries...</P> Wed, 13 May 2015 16:28:49 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109624#M7781 marees123 2015-05-13T16:28:49Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109625#M7782 <P>Put it before the table command then change the table command to <CODE>table foo</CODE>.</P> Wed, 13 May 2015 16:31:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109625#M7782 richgalloway 2015-05-13T16:31:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109626#M7783 <P>you are awesome...</P> <P>thanks a lot.. its working perfectly <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 13 May 2015 16:33:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109626#M7783 marees123 2015-05-13T16:33:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109627#M7784 <P>Great! Please accept the answer.</P> Wed, 13 May 2015 16:35:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109627#M7784 richgalloway 2015-05-13T16:35:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109628#M7785 <P>Hi Richgalloway</P> <P>Sorry....</P> <P>what we need to do to display like a below sentence... </P> <P>example.domain.com monitor status changed to up/down on node 192.168.2.24:443</P> Wed, 13 May 2015 17:43:04 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109628#M7785 marees123 2015-05-13T17:43:04Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109629#M7786 <P>You have most of what you need already. All you have to do is tweak the regex string and the eval:</P> <PRE><CODE>index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P&amp;lt;domain&amp;gt;[^ ]+).*\/(?P&amp;lt;node&amp;gt;[\d\.:]+) monitor status (?P&amp;lt;status&amp;gt;\w+\.)" | eval sentence=domain+" monitor status changed to "+status+" on node "+node | table sentence </CODE></PRE> Wed, 13 May 2015 17:52:59 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109629#M7786 richgalloway 2015-05-13T17:52:59Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109630#M7787 <P>Thanks a lot ....:-)</P> Wed, 13 May 2015 18:10:21 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109630#M7787 marees123 2015-05-13T18:10:21Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109631#M7788 <P>Hi Richgalloway,</P> <P>example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:18<BR /> example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:18<BR /> example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:22<BR /> example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:22<BR /> example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:22<BR /> example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:26</P> <P>shall i get a single entry for down and up in a single search.... if the domain name and IP address is same...</P> Thu, 14 May 2015 07:35:12 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109631#M7788 marees123 2015-05-14T07:35:12Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109632#M7789 <P>That's easily done using the <CODE>dedup</CODE> command.</P> <PRE><CODE>index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P&amp;lt;domain&amp;gt;[^ ]+).*\/(?P&amp;lt;node&amp;gt;[\d\.:]+) monitor status (?P&amp;lt;status&amp;gt;\w+\.)" | dedup domain node | eval sentence=domain+" monitor status changed to "+status+" on node "+node | table sentence </CODE></PRE> Thu, 14 May 2015 13:19:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109632#M7789 richgalloway 2015-05-14T13:19:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109633#M7790 <P>Thank you:-)</P> <P>but it is displaying only UP not down... </P> Fri, 15 May 2015 06:32:38 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109633#M7790 marees123 2015-05-15T06:32:38Z https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109634#M7791 <P>It is displaying the most recent status. To show the most recent down and up states, change the dedup command to <CODE>dedup domain node status</CODE>.</P> Fri, 15 May 2015 14:32:10 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/how-to-trim-output/m-p/109634#M7791 richgalloway 2015-05-15T14:32:10Z