topic To create a field from the csv data in Getting Data In

To create a field from the csv data

Paul_tcs — Fri, 19 Jul 2013 16:45:00 GMT

Hi Xperts,

I Need to create a field which displays hostnames with the following data,

1568    *NAIT US ICC Tibco Hawk Alerts  24/03/13 08:47  STOPPED :: BW Engine AFSDailyAndInitialLoad-A-550BwProcess-1911-14743 on ncdap-prd1911  Loanpath    Alert   High    00:15

11569   *NAIT US ICC Tibco Hawk Alerts  24/03/13 08:47  STOPPED :: BW Engine NAIT_AFS_BookingInterface-C-LP_AFS_BookingInterface_RequestMessage-1911-14743 on ncdap-prd1911 Loanpath    Alert   High    00:15

11570   *NAIT US ICC Tibco Hawk Alerts  24/03/13 08:47  STOPPED :: BW Engine IMPACS-C-IMPACS_LoanBooking_ReqRep-1911-14743 on ncdap-prd1911 Loanpath    Alert   High    00:15

11571   *NAIT US ICC Tibco Hawk Alerts  24/03/13 08:47  STOPPED :: BW Engine ICV_Customer_Interface-B-ICV_Get_Customer_Request-1911-14743 on ncdap-prd1914  Loanpath    Alert   High    00:15

11572   *NAIT US ICC Tibco Hawk Alerts  24/03/13 08:47  STOPPED :: BW Engine NAIT_AFS_BookingInterface-C-AFS_LP_BookingInterface_ResponseMessage-1911-14743 on ncdap-prd1921    Loanpath    Alert   High    00:15

in the above code, term staes with "ncdap-prd1911" "ncdap-prd1914" are nodes, i want to create a field "hostname" under which i want these nodes to filtered. How to proceed this.

Regards,
Paul

Re: To create a field from the csv data

lguinn2 — Fri, 19 Jul 2013 17:23:03 GMT

Here is the discussion in the manual of how to add fields at search time. In Splunk, this is called field extraction.
You may want to create a "permanent" field extraction using the Interactive Field Extractor.
If you want to create a field on the fly, during a search, you could do this:

yoursearchhere
| rex "\son\s*(?<hostname>ncdap\S+)"
| stats count by hostname

I just gave the stats command as one example of what you can do. But, if you just want to filter the data, you don't need fields at all

yoursearchhere NOT "ncdap-prd1911" NOT "ncdap-prd1914"

assuming that "ncdap-prd1911" "ncdap-prd1914" does not appear anywhere else in the event text.

Re: To create a field from the csv data

Paul_tcs — Sat, 20 Jul 2013 05:24:03 GMT

thanks a lot for your reply,

here when am giving this rex, this display four host which am mentioned in the sample query. consider that am having many hostname in the log, how to extract the same.

Also, i see one field hostname has been created when i view he contents, i see complete line of the log

ncdap-prd1911 Loanpath Alert High 00:15

instead i need only

ncdap-prd1911

how to achieve this.

Re: To create a field from the csv data

Paul_tcs — Sun, 21 Jul 2013 08:47:30 GMT

any help on this?

Re: To create a field from the csv data

lguinn2 — Mon, 22 Jul 2013 17:49:24 GMT

yoursearchhere | rex "\son\s*(?<hostname>ncdap\S+)" | stats count by hostname

should work. This will extract all of the hostnames in the log, if you replace the first line with a general query like sourcetype=ZZZZ where ZZZZ is the sourcetype of the data.

If you want to see the events, but only certain fields, you can do this

yoursearchhere | rex "\son\s*(?<hostname>ncdap\S+)" | table hostname

You could also filter like this

yoursearchhere | rex "\son\s*(?<hostname>ncdap\S+)" | where hostname="ncdap-prd1911" OR hostname="ncdap-prd1914" | stats count by hostname