topic Re: How do I use only part of Source as legend? in Getting Data In

How do I use only part of Source as legend?

yuanqi — Mon, 28 Sep 2020 12:29:42 GMT

I have the following search:
"avg tx =" | timechart max(tx) by source

Where Source is the filenames, for example:

\\server1\vdi\LOGS\PCoIPLogFiles\V30040016\pcoip_server_2012_09_14_0000045c.txt

The search works perfectly however the legends (same as the source) are too long.

I'd like to only take part of the "source" as legends, remove "\\server1\vdi\LOGS\PCoIPLogFiles\" and "\pcoip_server_2012_09_14_0000045c.txt", only leave the folder name "V300400xx" (I have many folders so I'm using xx to replace the actual number)

OR, I was thinking if I can create sourcetype using part of the source, meaning "V300400xx", and do the following search, it should also work.
"avg tx =" | timechart max(tx) by sourcetype

Is this possible? Thanks in advance.

Barry

Re: How do I use only part of Source as legend?

davecroto — Fri, 21 Sep 2012 23:22:37 GMT

Use rex to create another field: rex field=source "/opt/log/(?[^/]+)$" and then use that field as the the "by"

Re: How do I use only part of Source as legend?

yuanqi — Fri, 21 Sep 2012 23:37:28 GMT

I'm not familiar with rex, I tried the following and didn't work. Any suggestion?

"avg tx =" rex field=source "\server1\vdi\LOGS\PCoIPLogFiles(?[^]+)$" | timechart max(tx) by hostname

Re: How do I use only part of Source as legend?

yuanqi — Fri, 21 Sep 2012 23:39:01 GMT

Tried the following and didn't work. Any suggestion?

"avg tx =" rex field=source "\\server1\vdi\LOGS\PCoIPLogFiles\(?<hostname>[^\]+)$" | timechart max(tx) by hostname

Re: How do I use only part of Source as legend?

davecroto — Sat, 22 Sep 2012 00:41:01 GMT

Q: you are searching for "avg tx ="

if so

"avg tx="|rex field=source "\\server1\vdi\LOGS\PCoIPLogFiles\\\\(?\w+)" |timechart....

Re: How do I use only part of Source as legend?

davecroto — Sat, 22 Sep 2012 00:49:10 GMT

edited this alot because I have to escape the \'s but I think you are just missing the "|" "pipe" between what you are searching for and the rex statement

Re: How do I use only part of Source as legend?

davecroto — Sat, 22 Sep 2012 01:05:22 GMT

source="little.log" |search "avg tx=" |eval tx=6 |rex field=source "little(?\.\w+)" |timechart max(tx) by hostname

Re: How do I use only part of Source as legend?

davecroto — Sat, 22 Sep 2012 01:06:48 GMT

It is hard to do without a sample event, but I think this is what you need now the legend should be the regex'd out portion of the source. Let me know if it works. 🙂

Re: How do I use only part of Source as legend?

yuanqi — Sat, 22 Sep 2012 01:15:07 GMT

Got error:
Error in 'rex' command: Encountered the following error while compiling the regex '\server1\vdi\LOGS\PCoIPLogFiles(?w+)': Regex: PCRE does not support \L, \l, \N{name}, \U, or \u

Re: How do I use only part of Source as legend?

davecroto — Sat, 22 Sep 2012 01:25:35 GMT

I'm assuming the slashes are not there in your response because you didn't escape them 🙂

Just use a regex that works in the rex statement. As a test, does it work when you just do:

| rex field=source "\\server1\vdi\LOGS\PCoIPLogFiles\(?V30040016)"

Do you still get the error message?

Re: How do I use only part of Source as legend?

davecroto — Sat, 22 Sep 2012 01:41:08 GMT

What you really want to do is a transforms with a SOURCE_KEY, but that would be a bit more complicated.

Re: How do I use only part of Source as legend?

bmacias84 — Sat, 22 Sep 2012 02:07:30 GMT

I would use rex or regex to create a new field for the segment you wish to use as your new source. Below is a sample, but the regex statement is incorrect. This would be the simplest if you don't to use a transform. Keep in mind there is a higher search cost when using this method, the transform would be more efficient.

... | rex field=source (?<scr>/[\w\d\s\.]+/[\w\d\s\.]+$)| ... | timechart max(tx) by scr

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/rex

Optionaly you could build a lookup table. Though I would use rex or a transform.

Re: How do I use only part of Source as legend?

yuanqi — Sat, 22 Sep 2012 03:14:19 GMT

I gave up trying the \'s and end up doing the following.

rex field=source "V(?< hostname>\w+)" | timechart max(tx) by hostname

I'm missing the first letter V of my hostnames but at least this works.

Re: How do I use only part of Source as legend?

melting — Sun, 23 Sep 2012 04:23:28 GMT

try putting the "V" in the parens...

rex field=source "(?< hostname>V\w+)" | timechart max(tx) by hostname