topic Re: How to perform a regex where grouping multiple lines to a single field/value? in Splunk Search

How to perform a regex where grouping multiple lines to a single field/value?

tha_ghost99 — Wed, 23 Nov 2022 21:19:32 GMT

below is the value of a field.

what i would like to do is do a regex where i would output node# + temperature.

example output:

Node0_temperature=26 degrees C / 78 degrees F

Node1_temperature=29 degrees C / 84 degrees F

thanks,




node0:
--------------------------------------------------------------------------
Routing Engine status:
  Slot 0:
    Current state                  Master
    Election priority              Master (default)
    Temperature                 26 degrees C / 78 degrees F
    CPU temperature             41 degrees C / 105 degrees F
    DRAM                      98254 MB (98304 MB installed)
    Memory utilization           4 percent
    5 sec CPU utilization:
      User                       0 percent
      Background                 0 percent
      Kernel                     4 percent
      Interrupt                  1 percent
      Idle                      95 percent

node1:
--------------------------------------------------------------------------
Routing Engine status:
  Slot 0:
    Current state                  Master
    Election priority              Master (default)
    Temperature                 29 degrees C / 84 degrees F
    CPU temperature             41 degrees C / 105 degrees F
    DRAM                      98254 MB (98304 MB installed)
    Memory utilization           4 percent
    5 sec CPU utilization:
      User                       0 percent
      Background                 0 percent
      Kernel                     2 percent
      Interrupt                  0 percent
      Idle                      98 percent

Re: how to perform a regex where grouping multiple lines to a single field/value?

richgalloway — Wed, 23 Nov 2022 19:47:18 GMT

What are we looking at? Is that raw data or results from a Splunk search? Is it one event, two, or many? Which fields are extracted already? What regex/query have you tried so far?

Re: how to perform a regex where grouping multiple lines to a single field/value?

tha_ghost99 — Wed, 23 Nov 2022 20:34:49 GMT

hi thank you very much for replying.

this is the raw data, and one event.

within that event, splunk extracted the output provided, as a single field.

so technically you can ignore about the field, treat this as a single event. 🙂

Re: How to perform a regex where grouping multiple lines to a single field/value?

bowesmana — Wed, 23 Nov 2022 22:34:30 GMT

Assuming that's a single _raw event, then you want something like this

| rex max_match=0 "(?s)(?<nodeNum>node\d+):.*?Temperature\s+(?<temp>[^\n]*)" | eval Temps=mvzip(nodeNum, temp, "=")

which will do a ". matches newline" match (?s) and extract both fields to nodeNum and temp fields

the mzvip will then join the two together.

Re: how to perform a regex where grouping multiple lines to a single field/value?

tha_ghost99 — Wed, 23 Nov 2022 23:24:59 GMT

thank you very much, this worked really well.. 🙂

@richgalloway

i may ask for a few more help later on. 🙂

thank you also @bowesmana for the help.

Re: how to perform a regex where grouping multiple lines to a single field/value?

tha_ghost99 — Wed, 23 Nov 2022 23:36:23 GMT

sorry me again, what if i wanted to add a third paramater? example 'last reboot reason' ?

haha im stuck yet again

@richgalloway

Re: how to perform a regex where grouping multiple lines to a single field/value?

richgalloway — Thu, 24 Nov 2022 01:02:23 GMT

Did you intend to accept @bowesmana 's answer? I have not provided one, yet.

Re: How to perform a regex where grouping multiple lines to a single field/value?

tha_ghost99 — Thu, 24 Nov 2022 14:07:56 GMT

@bowesmana i got a new one.

using similar regex. how can i do a query where it will provide output if will provide output per NODE0 or NODE1 and display only if each line after "/var" if the line does not have "no such file or directory"

node0:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory
/var/: blablablaba.txt

node1:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory

so the output will end up being:

NODE0:

/var/: blablablaba.txt

NODE1:

null/blank/nothing

Re: How to perform a regex where grouping multiple lines to a single field/value?

bowesmana — Fri, 25 Nov 2022 02:54:36 GMT

I am not sure how you'd write the regex to extract multiple /var lines that are 'connected' to the node - but I suggest asking this question in a new topic, so more eyes will get to see it.

Re: How to perform a regex where grouping multiple lines to a single field/value?

tha_ghost99 — Fri, 25 Nov 2022 18:22:51 GMT

@bowesmana

thank you,

i will do that, if i can make it easier for you. using the same search string you gave me.

how can i modify it so that it grabs every single line.

node0:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory
/var/: blablablaba.txt

node1:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory

output expecting:

node0,/var/: No such file or directory
node0,/var/tmp/: No such file or directory
node0,/var/: blablablaba.txt

node1,/var/: No such file or directory
node1,/var/tmp/: No such file or directory

Re: How to perform a regex where grouping multiple lines to a single field/value?

tha_ghost99 — Mon, 28 Nov 2022 16:57:10 GMT

@bowesmana

quick question on this output. how can i modify it, if there are multiple Temperature fields under node0?

how can i capture the other Temperature values under the same node #?

| rex max_match=0 "(?s)(?<nodeNum>node\d+):.*?Temperature\s+(?<temp>[^\n]*)"
| eval Temps=mvzip(nodeNum, temp, "=")