topic see results of a rex command in Splunk Search

see results of a rex command

owie6466 — Thu, 08 Aug 2019 18:26:12 GMT

i have this rex code to extract the string from an event field:

| rex "(?\d{1,2})\s+hours?\s+ago"
| eval process=case(Time<4, "Process Up", true(), "Process down")

this is the event field:
Event
0 minutes ago, vmkid-p4rbdb03.lm.lmig.com, windows 6.3.9600.
1 minute ago, vmpid-h4eip001.lm.lmig.com, windows 6.3.9600.

What i wanted to do is extract the 1st string w/out the minute(s) ago and use an argument to check if this is less than 4, if it is i want to label it "Process up" and if not, it should be "Process down"

my code above is not working as it's marking all servers with less than 4 as Process down. that's why i wanted to see the results for the rex command

can you help me?

thank you!

Re: see results of a rex command

mayurr98 — Thu, 08 Aug 2019 18:37:24 GMT

Try this run anywhere search:

| makeresults 
| eval data="5 minutes ago, vmkid-p4rbdb03.lm.lmig.com, windows 6.3.9600.:1 minute ago, vmpid-h4eip001.lm.lmig.com, windows 6.3.9600." 
| makemv data delim=":" 
| mvexpand data 
| rex field=data "(?<Time>\d{1,2})\s+(minute|hour)s?\s+ago" 
| eval process=if(Time<4,"Process Up","Process Down")

On your prod data you should try:

.. | rex field=_raw "(?<Time>\d{1,2})\s+(minute|hour)s?\s+ago" 
| eval process=if(Time<4,"Process Up","Process Down")

Re: see results of a rex command

owie6466 — Thu, 08 Aug 2019 18:44:54 GMT

thank you so much!

Re: see results of a rex command

owie6466 — Thu, 08 Aug 2019 18:46:09 GMT

is there a way to make the data generic? i have multiple search results.

Re: see results of a rex command

mayurr98 — Thu, 08 Aug 2019 18:48:03 GMT

I didn't get you. could you pls elaborate ?