https://community.splunk.com/t5/Splunk-Search/Regex-for-dynamic-string/m-p/183008#M52694 <P>Hey together,</P> <P>My input is a dynamic input:</P> <BLOCKQUOTE> <P>SysH=1.0;MemU=4871;MemF=3173;SwpU=5227;SwpF=10860;PrcC=95; <STRONG>eclipse.exe=0.175</STRONG>, <STRONG>firefox.exe=0.04</STRONG>, Dwm.exe=0.028, <STRONG>javaw.exe=0.025</STRONG>, Explorer.EXE=0.016; <STRONG>eclipse.exe=1611500</STRONG>, <STRONG>firefox.exe=1393504</STRONG>, <STRONG>javaw.exe=1180432</STRONG>, sidebar.exe=741164, PrivacyIconClient.exe=643392;CPUH=0.92;CPULd=0.08;CPUNonIdl=0.11;MemH=1.0;NetDownR=983399, eth7=0, eth6=0, eth11=0, eth0=0;NetUpR=17994, eth7=0, eth6=0, eth11=0, eth0=0;=0, eth10=0, eth12=0, eth15=0, eth9=0, eth14=0;</P> </BLOCKQUOTE> <P>As you can see, I've got two fields with the same name but different values. What I wanna do is <STRONG>to add an "m_" in front of the name of the bigger one</STRONG>. I guess it's just possible with <STRONG>regex</STRONG>. <BR /> In fact, I would not ask you for that if it was a static input. <BR /> The <STRONG>programm.exe parts are dynamic</STRONG>. But I really need to find a way to rename one of the fields in every case. </P> <P>Hope some of you can help me.<BR /> Thanks!</P> Wed, 18 Dec 2013 11:15:59 GMT Dreads94 2013-12-18T11:15:59Z https://community.splunk.com/t5/Splunk-Search/Regex-for-dynamic-string/m-p/183008#M52694 <P>Hey together,</P> <P>My input is a dynamic input:</P> <BLOCKQUOTE> <P>SysH=1.0;MemU=4871;MemF=3173;SwpU=5227;SwpF=10860;PrcC=95; <STRONG>eclipse.exe=0.175</STRONG>, <STRONG>firefox.exe=0.04</STRONG>, Dwm.exe=0.028, <STRONG>javaw.exe=0.025</STRONG>, Explorer.EXE=0.016; <STRONG>eclipse.exe=1611500</STRONG>, <STRONG>firefox.exe=1393504</STRONG>, <STRONG>javaw.exe=1180432</STRONG>, sidebar.exe=741164, PrivacyIconClient.exe=643392;CPUH=0.92;CPULd=0.08;CPUNonIdl=0.11;MemH=1.0;NetDownR=983399, eth7=0, eth6=0, eth11=0, eth0=0;NetUpR=17994, eth7=0, eth6=0, eth11=0, eth0=0;=0, eth10=0, eth12=0, eth15=0, eth9=0, eth14=0;</P> </BLOCKQUOTE> <P>As you can see, I've got two fields with the same name but different values. What I wanna do is <STRONG>to add an "m_" in front of the name of the bigger one</STRONG>. I guess it's just possible with <STRONG>regex</STRONG>. <BR /> In fact, I would not ask you for that if it was a static input. <BR /> The <STRONG>programm.exe parts are dynamic</STRONG>. But I really need to find a way to rename one of the fields in every case. </P> <P>Hope some of you can help me.<BR /> Thanks!</P> Wed, 18 Dec 2013 11:15:59 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-dynamic-string/m-p/183008#M52694 Dreads94 2013-12-18T11:15:59Z https://community.splunk.com/t5/Splunk-Search/Regex-for-dynamic-string/m-p/183009#M52695 <P>The easiest solution is probably to rewrite the events with SEDCMD in props.conf on your indexer (or Heavy Forwarder);</P> <PRE><CODE>[your sourcetype] SEDCMD-blah = s/(\w+\.exe=\d{4,})/m_\1/g </CODE></PRE> <P>As you can see, there are some assumptions here;<BR /> 1) that all the stuff you want to rename ends in .exe<BR /> 2) that they have at least a 4-digit value (i.e. greater than 1000)<BR /> 3) that the binaries (i.e. field names) can contain only certain characters.</P> <P>Adjust these things to suit your actual environment. Please note that this will actually change the events before the are written to disk, so if your'e not allowed to tamper with the data, this might not be the way to go. </P> <HR /> <P>UPDATE:</P> <P>Perhaps I should also explain what to do instead <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>It's essentially the same type of regex. While it <EM>looks</EM> like the events are altered, they are in fact not. Since the rex operates on the <CODE>_raw</CODE> field, they will look different in the search results. However, that change is not permanent.</P> <PRE><CODE>your search for events | fields + _raw | rex field=_raw mode=sed "s/(\w+\.exe=\d{4,})/m_\1/g" | kv kvdelim="=" </CODE></PRE> <P>First you clear all the fields except <CODE>_raw</CODE>, then do the <CODE>rex</CODE> renaming, then extract the fields.</P> <P>Hope this helps,</P> <P>K</P> Wed, 18 Dec 2013 14:46:24 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-dynamic-string/m-p/183009#M52695 kristian_kolb 2013-12-18T14:46:24Z https://community.splunk.com/t5/Splunk-Search/Regex-for-dynamic-string/m-p/183010#M52696 <P>updated with search-time voodoo as well.</P> Wed, 18 Dec 2013 15:22:31 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-dynamic-string/m-p/183010#M52696 kristian_kolb 2013-12-18T15:22:31Z https://community.splunk.com/t5/Splunk-Search/Regex-for-dynamic-string/m-p/183011#M52697 <P>great! Thank you very much!</P> Thu, 19 Dec 2013 09:09:42 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-dynamic-string/m-p/183011#M52697 Dreads94 2013-12-19T09:09:42Z