topic Re: How to Filter a specific field from event - in Splunk Enterprise

How to Filter a specific field from event -

Learnme_007 — Mon, 18 Jul 2022 14:47:53 GMT

I have a file which gives me the following output :-

srvrmgr> list comps SHOW SV_NAME,CP_DISP_RUN_STATE,CP_STARTMODE,CP_NUM_RUN_TASKS,CP_MAX_TASKS,CP_ACTV_MTS_PROCS,CP_MAX_MTS_PROCS,CP_START_TIME,CP_END_TIME,CC_ALIAS

SV_NAME CP_DISP_RUN_STATE CP_STARTMODE CP_NUM_RUN_TASKS CP_MAX_TASKS CP_ACTV_MTS_PROCS CP_MAX_MTS_PROCS CP_START_TIME CP_END_TIME CC_ALIAS

-------- ------------------- ------------ ---------------- ------------ ----------------- ---------------- ------------------- ------------------- ---------------
---------
lnx001 Online Auto 0 50 1 1 2022-07-18 03:53:03 comp_123 comp_123
lnx003 Online Auto 0 50 1 1 2022-07-18 03:53:03 comp_456 comp_123
lnx005 Online Auto 0 20 1 1 2022-07-18 03:53:03 comp_123 comp_123
lnx007 Online Manual 0 50 0 1 2022-07-18 03:53:03 comp_987
lnx010 Online Manual 0 500 0 5 2022-07-18 03:53:03 comp_564
lnx011 Online Auto 643 4000 40 40 2022-07-18 03:53:03 comp_123

I only want to extract the 1st,4th(numeric) and where comp_name=comp_123, discarding all the other entries and show 1st field as host, 4th field as runningtasks and final field as component.. Please help me with the filters

Re: Filter a specific field from event -

richgalloway — Mon, 18 Jul 2022 14:42:32 GMT

Do you want to filter at index time or search time? What have you tried so far? Please share the inputs.conf and props.conf stanzas for the file.

Re: How to Filter a specific field from event -

Learnme_007 — Fri, 22 Jul 2022 10:52:50 GMT

lnx001 Online Auto 1 50 1 1 2022-07-18 03:53:03 comp_123 comp_123
lnx003 Online Auto 1 50 1 1 2022-07-18 03:53:03 comp_456 comp_123
lnx005 Online Auto 1 20 1 1 2022-07-18 03:53:03 comp_123 comp_123
lnx007 Online Manual 1 50 0 1 2022-07-18 03:53:03 comp_987
lnx010 Online Manual 1 500 0 5 2022-07-18 03:53:03 comp_564
lnx011 Online Auto 643 4000 40 40 2022-07-18 03:53:03 comp_123

I want to extract the field post Auto, which shows numeric 1(the numeric value can vary from 1-20). there are multiple fields with numeric 1 or anything in between 1-99 other than this field. As of now I tried this, but this shows all the fields which starts with 1 or any other numeric which has a space before and after the character. it also matches anything starting from 1-99

\s\d{1,2}\s

Re: How to Filter a specific field from event -

richgalloway — Fri, 22 Jul 2022 12:01:45 GMT

You haven't answered my questions.

Do you want to filter at index time or at search time?

The original posting asked about extracting 3 fields, but this reply asked only for the field after Auto. Which is desired? Is the field after Manual to be extracted or ignored?

Which "comp_123" value is the comp_name field? Some events have 2 comp_* fields.

To get the field after Auto, try Auto\s\d+

Re: How to Filter a specific field from event -

PickleRick — Fri, 22 Jul 2022 12:28:55 GMT

Since this output is clearly from some solution external to splunk, the question is whether you're preparing to ingest that data to splunk or do you have it already ingested in splunk in some form. If it's not yet ingested, will you be getting that as a file, events over syslog, any other way?