topic Re: Need help in extracting value from a field in Splunk Search

Need help in extracting value from a field

anoopambli — Fri, 27 Feb 2015 11:59:58 GMT

i have tried whatever i could to get the desired output rex but not happening, please help..
This is what i am trying to do,

I have a field which has values like below,

OK: C: 10 OK: F: 19.13 OK: G: 0.57 13304 Fri Feb 27 06:39:52 2015 stopping 13304
OK: C: 79.64 OK: E: 66.18 OK: F: 79.41 OK: G: 67.67 OK: H: 72.26 OK: I: 93.33 OK: J: 15.33 OK: K: 17.3 14104 Fri Feb 27 06:57:27 2015 stopping 14104
OK: C: 54.57 OK: I: 6.98 OK: K: 0.99 OK: L: 69.21 17676 Fri Feb 27 06:57:19 2015 stopping 17676

These are drive usage details of remote windows servers, i want to do a clean up on values on this field, ideally this is how it should look like

C: 10 F:19.13 G:0.57
C: 79.64 E: 66.18 F: 79.41 G: 67.67 H: 72.26 I: 93.33 J: 15.33 K: 17.3
C: 54.57 I: 6.98 K: 0.99 L: 69.21

Any idea how i can accomplish this?

Re: Need help in extracting value from a field

richgalloway — Fri, 27 Feb 2015 12:52:25 GMT

This worked for me with your sample data.

... | rex max_match=0 field=foo "(?:OK: (?P<drive>\w:)\s(?P<usage>[\.\d]+))+" | ...

Re: Need help in extracting value from a field

anoopambli — Fri, 27 Feb 2015 13:31:08 GMT

Thank you for your response. I think we are almost there. With the query given it is creating two fields, one for the drive name and another for the usage. That is perfectly fine, but only thing i noticed is that i am getting only one drive usage. Do i need to do anything to match all others the similar way?

Re: Need help in extracting value from a field

richgalloway — Fri, 27 Feb 2015 15:01:45 GMT

I neglected to mention rex would extract the fields as multi-valued fields. Use mvexpand to see all values.

... | rex max_match=0 field=foo "(?:OK: (?P<drive>\w:)\s(?P<usage>[\.\d]+))+" | mvexpand drive | mvexpand usage | ...

Re: Need help in extracting value from a field

cpetterborg — Fri, 27 Feb 2015 16:34:04 GMT

If you just want to get a field that has the whole set of drive usage stats, you don't need to use rex:

<yoursearch> | eval driveusage=replace (_raw, "OK:\s(\w:)", "\\1") | eval driveinfo=replace(driveusage, "\d+\s\w{3}\s\w{3}\s\d\d\s\d\d:.*$", "")

This is likely to work on all your data and returns the entire string that you want into a single field called driveusage.

Re: Need help in extracting value from a field

anoopambli — Fri, 27 Feb 2015 19:06:26 GMT

Thank you guys, that worked perfectly for me. This was a huge help

Re: Need help in extracting value from a field

cpetterborg — Fri, 27 Feb 2015 21:54:37 GMT

If you want to separate them into each drive being in a different field, you have a bit of a problem, because you have a variable number of the drives in each line. The mvexpand that richgalloway suggests will let you separate the values by drive. In your original post you said that you wanted to clean up the data, which is what my eval commands do to produce the line with only the values that you wanted in the single result. What is the point of "cleaning up?" Do you want to extract each drive's value and do statistics on it, or are you just doing a report of the data for a given system, or is there something else that you want to do?

Re: Need help in extracting value from a field

anoopambli — Mon, 02 Mar 2015 10:32:17 GMT

I was trying to build a table where it shows the hostname then it's curresponding drives and usage. The query with richgalloway shows different drives but when i table them it is not showing all the drives and the usage association is coming up wrong. While using mvexpand, would there be any problem in associating name and value....?