topic Re: EXTRACTION OF FIELDS in Splunk Enterprise

EXTRACTION OF FIELDS

sphiwee — Tue, 17 Nov 2020 10:05:28 GMT

Can I please get the extraction of "14%" as memory used & "boot" as directory, thank you.

[2020-11-17 11:33:43+0200] Filesystem Size Used Avail Use% Mounted on /dev/sda1 2.0G 274M 1.8G 14% /boot

Re: EXTRACTION OF FIELDS

inventsekar — Tue, 17 Nov 2020 10:53:44 GMT

"\d+ --- one or more digits.... (it will match for 5%, 15% and 150% as well)"

|makeresults | eval log="[2020-11-17 11:33:43+0200] Filesystem Size Used Avail Use% Mounted on /dev/sda1 2.0G 274M 1.8G 14% /boot" | rex field=log "(?<memoryUsed>\d+\%)\s(?<directory>.*)$" | table memoryUsed directory

Re: EXTRACTION OF FIELDS

inventsekar — Tue, 17 Nov 2020 11:08:23 GMT

Hi @sphiwee if the issue resolved, can you please accept the above one as the solution.. if still there are any issues, pls let us know. thanks.

Re: EXTRACTION OF FIELDS

sphiwee — Tue, 17 Nov 2020 11:16:13 GMT

How do i get rid of the empty spaces above

Re: EXTRACTION OF FIELDS

inventsekar — Tue, 17 Nov 2020 11:27:27 GMT

Hi @sphiwee the empty spaces meaning no matches, .. did the splunk search matched on all logs? all the logs are in the same format ?

please update the search query last portion... "| table memoryUsed directory _raw"... so for the empty space, corresponding log lines can be seen.. copy paste those lines please...

Re: EXTRACTION OF FIELDS

sphiwee — Wed, 18 Nov 2020 06:41:30 GMT

Hi @inventsekar

i was able to fix it with this

"| search memoryUsed=* OR directory=*"

Re: EXTRACTION OF FIELDS

sphiwee — Wed, 18 Nov 2020 06:43:01 GMT

Am I able to convert that 14% to a piechart that shows only 14% space used? and how? kinda struggling to do it