topic Re: Eval string until character in Splunk Search

Eval string until character

TiagoMatos — Tue, 13 Aug 2013 14:35:15 GMT

Hello!

I'm having strings that are very specific. I'm trying to agregate them, so what I want is just to keep the string until "_@" appear. I don't understand yet Perl expression syntax. Can anyone help?

Thank you

Re: Eval string until character

kristian_kolb — Tue, 13 Aug 2013 15:09:33 GMT

please provide a few sample events. This could be a start;

rex field=my_long_string "(?<new_field>.+?)_@"

Re: Eval string until character

TiagoMatos — Tue, 13 Aug 2013 15:19:42 GMT

I have SWEMethods with values like this one:

ChangeCurrentObj_@0*0*10*0*5*Group0*9*UIPropInd1*Y11*CxGroupName10*VII. VPN16*RequireMoreChild0*11*Parent Path9*1-KR600AC4*Type5*Group12*TemplateName23*eCfgGroupStandardJS.swt8*Selected1*N12*.MasterGroup17*VII. Fixo &amp

I want to perform a count such as this:

I want to count by method, but everything after _@ is just a specification. So I want something like this:

index="pt_app_siebel" NOT error*| eval X =replace(SWEMethod, "^(\w+)_@.+$", "\1" ) | timechart usenull=F limit=0 span=1s count by SWEMethod | table SWEMethod

Hope it helps

Re: Eval string until character

kristian_kolb — Tue, 13 Aug 2013 15:34:36 GMT

index=pt_app_siebel | rex field=SWEMethod "^(?<X>\w+)_@" | timechart etc etc blah blah

Re: Eval string until character

TiagoMatos — Tue, 13 Aug 2013 15:43:29 GMT

I want to replace every character right to the "_@" by nothing, so that it has to be eval with a replace

Re: Eval string until character

lukejadamec — Tue, 13 Aug 2013 17:19:18 GMT

Why don't you rex everything after the @?
rex field=SWEMethod "^@(?.*)"

Re: Eval string until character

kristian_kolb — Tue, 13 Aug 2013 20:36:29 GMT

TiagoMatos: my suggestion creates a field called 'X' which contains the beginning of the SWEMethod up to _@. Use the field 'X' instead of 'SWEMethod' in the subsequent search commands.

lukejadamec: that would not work. The field does not start with '@'. And TiagoMatos want everything before _@

Re: Eval string until character

lukejadamec — Tue, 13 Aug 2013 21:32:39 GMT

I'm confused. First you say you "want is just to keep the string until "@" appear", then you say you "want to replace every character right to the "@" by nothing".

In my world, replace before @ by nothing means keep everything after @.

If you want to have both before and after the @, then rex both.

Re: Eval string until character

kristian_kolb — Wed, 14 Aug 2013 07:42:00 GMT

left-side-to-keep_@right-side-to-skip

still confusing?

also, "^@" would require that the string/line starts with '@', which it does not.

Re: Eval string until character

lcrielaa — Mon, 28 Sep 2020 14:33:51 GMT

Your question isn't exactly clear. Could you perhaps give a bit of sample data and say what you want to skip and what you want to keep?

Assuming that Kristian's example is correct, you could use the following regex with a positive lookahead.
".*?(?=_@)"

In the example of "foo_@bar", the above regex would only select "foo" and ignore the "_@bar". You can use this regex in Splunk using the rex command.

edit: Based on your comment, I ran the following regex through Regexr (http://gskinner.com/RegExr/) for you:

(?<=^SWEMethod=).*?(?=_@)

Based on your sample, this will select only ChangeCurrentObj. This regex will only work if the data starts with "SWEMethod=". If this isn't the case, a poor man's replacement could be:

(?<=\w=).*?(?=_@)

but I recommend working it out further.

Re: Eval string until character

TiagoMatos — Wed, 14 Aug 2013 08:17:11 GMT

Kristian.kolb, that is exactly what I want. I want to use replace to keep left-side in the string. I need to identify those that have "_@" and ignore the right side of it

Re: Eval string until character

TiagoMatos — Mon, 28 Sep 2020 14:33:54 GMT

One Example is this one. The field is SWEMethod, so

SWEMethod=ChangeCurrentObj_@0*0*10*0*5*Group0*9*UIPropInd1*Y11*CxGroupName10*VII. VPN16*RequireMoreChild0*11*Parent Path9*1-CWMQIJW4*Type5*Group12*TemplateName23*eCfgGroupStandardJS.swt8*Selected1*N12*.MasterGroup17*VII. Fixo &amp"

What I want is to use replace to keep just "ChangeCurrentObj", and nothing more than that

Re: Eval string until character

kristian_kolb — Wed, 14 Aug 2013 11:13:59 GMT

TiagaMatos: did you try what i outlined in comments #1, #3 and #6?

Re: Eval string until character

TiagoMatos — Wed, 14 Aug 2013 11:20:12 GMT

I can identify the "_@" elements, but I didn't yet figure out how to replace the right side with nothing, so rex is not enough

Re: Eval string until character

lukejadamec — Wed, 14 Aug 2013 13:36:03 GMT

If you use rex to grab Only the left side, what do you think will remain on the right side?
Are you trying to remove the raw data?
Why do you think you need replace?

Re: Eval string until character

TiagoMatos — Wed, 14 Aug 2013 13:43:09 GMT

I need replace because I want to use timechart count by SWEMethod, with SWEMethod aggregated you see?

Re: Eval string until character

kristian_kolb — Wed, 14 Aug 2013 14:20:12 GMT

OK. once again.

You have a field called SWEMethod. It contains a long string, with a delimeter (_@) in the middle somewhere. You want to use everything before the delimeter for some reporting purposes. OK?

Use the field extraction methods shown to you, which will create a new field called 'X'. Then - use 'X' instead of 'SWEMethod' for the remainder of the query. It is that simple, e.g.

index=pt_app_siebel | rex field=SWEMethod "^(?<X>\w+)_@" | timechart span=5min count(X) values(X)

SWEMethod will still have its old (long) value, but that does not matter, since you're not using it.

Re: Eval string until character

TiagoMatos — Mon, 28 Sep 2020 14:34:07 GMT

Ok, this allows me to count by those which don't have "@". Well I want to coun by them too you. I want ChangeCurrentObj@Anonymous and ChangeCurrentObj_@blabla2 and ChangeCurrentObj_@blabla3 to be rewritten as ChangeCurrentObj, and then count by them too

Re: Eval string until character

kristian_kolb — Wed, 14 Aug 2013 14:59:21 GMT

Perhaps I can refer you to some pieces of the documentation that might prove useful.

http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/Usefieldstosearch
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutfields