topic Re: how to format the output of a splunk query ? in Splunk Search

how to format the output of a splunk query ?

rajs115 — Mon, 08 Nov 2021 16:39:11 GMT

Hi,

I have a splunk query which results the two outputs (using table) such as "JOB_NAME" and "JOB_ID".

For example, the output values are 'job_name' is 'abcd' and 'job_id' is '456'. The final output i would like to get is "abcd-456".

How can i update the splunk query to merge two outputs as one ?

Thanks.

Re: how to format the output of a splunk query ?

richgalloway — Mon, 08 Nov 2021 16:42:30 GMT

Use an eval with the concatenation operator to produce a new field.

| eval foo = job_name . "-" . job_id | table foo

Re: how to format the output of a splunk query ?

rajs115 — Mon, 08 Nov 2021 18:13:58 GMT

@richgalloway ,

The command you suggested is working as i need. I have another question. The JOB_NAME output is "abcd.exe". The output i am getting after running the command you suggested is "abcd.exe-456". Can you please suggest me how to delete '.exe' from the output?

Thanks.

Re: how to format the output of a splunk query ?

richgalloway — Mon, 08 Nov 2021 19:44:31 GMT

There are few ways to do that.

1) Strip .exe from JOB_NAME before concatenation.

| eval JOB_NAME=replace(JOB_NAME,".exe","") | eval foo=JOB_NAME."-".JOB_ID

2) Strip .exe from JOB_NAME during concatenation.

| eval foo=replace(JOB_NAME,".exe","")."-".JOB_ID

3) Remove .exe from the concatenated string afterwards.

| eval foo=JOB_NAME."-".JOB_ID | eval foo=replace(foo, ".exe", "")

There are alternative methods for each of these.

Re: how to format the output of a splunk query ?

rajs115 — Mon, 08 Nov 2021 20:08:34 GMT

@richgalloway ,

Your answer is perfectly fine. I have a small problem running the query to replace an extension. To get this right, i am trying to extract a git url in my actual task. The git url looks like below.

https://git.mycompany.project.git

here, i am trying to remove '.git' from the end of the project url. I am running below command you suggested,

to remove '.git' . But there is name 'git' at the beginning of the url as well.

| eval foo=replace(JOB_NAME,".git","")."-".JOB_ID

The final output is coming like this.

expected output: https://git.mycompany.project

Actual output: https:/.mycompany.project.

I just want to eliminate the .git at the end of the url. Not the first .git from url. Can you please suggest me how to overcome this?

Thanks.

Re: how to format the output of a splunk query ?

richgalloway — Mon, 08 Nov 2021 20:27:20 GMT

Try this alternative command.

| rex field=foo mode=sed "s/\.git$//"

Re: how to format the output of a splunk query ?

rajs115 — Mon, 08 Nov 2021 20:43:37 GMT

@richgalloway ,

This is how i am extracting the JOB_NAME form the splunk logs

Logs:

proj_url\tst[0;x= https://git.mycompany.project.git plan\tst[0;x=XbzuPbsj

Splunk query i am using here:

| rex "(?<url>https\S+)"

The output returns the value of https://git.mycompany.project.git .

Is there a way to eliminate .git in this query and return just https://git.mycompany.project ?

Re: how to format the output of a splunk query ?

richgalloway — Mon, 08 Nov 2021 20:53:36 GMT

I don't have a definitive way to extract url without the .git on the end. I suggest using the rex command above to remove .git from url after it is extracted.

Re: how to format the output of a splunk query ?

rajs115 — Mon, 08 Nov 2021 20:57:39 GMT

Now i understood how to run it properly. All working good now. Thank you

Re: how to format the output of a splunk query ?

richgalloway — Tue, 09 Nov 2021 01:00:02 GMT

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

Re: how to format the output of a splunk query ?

rajs115 — Tue, 09 Nov 2021 01:02:58 GMT

Hi rich, I already accepted your first comment as the solution to my question. Thanks.