topic Require help with rex query in Splunk Search

Require help with rex query

Mrig342 — Tue, 09 Feb 2021 04:37:09 GMT

Hi,

I have the below type of logs:

log1: Mon Feb 8 02:57:36 EST 2021 41% /logs

log2: Mon Feb 8 02:57:36 EST 2021 73% /opt

log3: Mon Feb 8 02:57:36 EST 2021 69% /var

log4: Mon Feb 8 02:57:36 EST 2021 48% /apps

I want to create a table as below:

File_System Disk_Usage

\logs 41

\opt 73

\var 69

\apps 48

Here I want to extract the "Disk_Usage" and "File_System" fields with the respective values. This might be a very silly question but I might be missing out something while creating the rex command. So please help me create the rex command. you kind support will be highly appreciated.

Thank you.

Re: Require help with rex query

manjunathmeti — Tue, 09 Feb 2021 05:03:43 GMT

hi @Mrig342,

Try this,

| makeresults | eval _raw=" _raw Mon Feb 8 02:57:36 EST 2021 41% /logs Mon Feb 8 02:57:36 EST 2021 73% /opt Mon Feb 8 02:57:36 EST 2021 69% /var Mon Feb 8 02:57:36 EST 2021 48% /apps" | multikv forceheader=1 | rex "\s(?<Disk_Usage>\d+)\%\s\/(?<File_System>\w+)" | table File_System, Disk_Usage

If this reply helps you, an upvote/like would be appreciated.

Re: Require help with rex query

Mrig342 — Tue, 09 Feb 2021 05:52:04 GMT

Thank you very much @manjunathmeti.