topic Re: How to edit my current rex search to extract path names? in Splunk Search

How to edit my current rex search to extract path names?

Federica_92 — Fri, 20 Mar 2015 17:22:05 GMT

Hi everyone,

I have a problem building an SPL query with the regular expression:

This is an example of my data:
These are all pathname

 root/home/1/2/3/4/5/6/
 root/home/1/2/3/4
 root/home/0/9/11
 root/home/0/9/22

and so on...

I would like edit my data in the base of one specific folder, so for example, if the folder is 2, I would like to obtain:

 root/home/1/*
 root/home/1/*
 root/home/0/9/11
 root/home/0/9/22

If the folder was home my data are:

root/*

Actually, all my pathname are raw data, so to extract them I use this search, that's work fine:

  index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | fields path_d

How can I create a new search, using the results of this previous search, that do what I have ask before?

Please, let me know.

Re: How to edit my current rex search to extract path names?

cpetterborg — Fri, 20 Mar 2015 21:21:44 GMT

I'd like to confirm what it is that you want to do by asking some questions:

Question 1:
Do your events only contain the path that you want, or are you getting the path as you describe in the first code box from the extracted values from your rex command (in the path_d result)?

Question 2:
Would you like the final output of the search from the events in the first box to look exactly like the results in the second box (specifically that you also have 4 entries)?

Question 3:
Do you only want one result as you show in the third box (only one event), or would you want four evants all the same (your results seem to be inconsistent if not)?

Question 4:
Do you want the results that don't match your criteria (e.g. 2 or home subdirectories) to be unchanged?

Re: How to edit my current rex search to extract path names?

Federica_92 — Mon, 23 Mar 2015 09:25:08 GMT

Question1 :
To get the path, I'm using the rex command, and they are: path_d results.

Question2 :
I can have infinite entry, like 10000 of events, in base of the parameters of the user, I would like wildcard a specific parameter. And I would like have the results of only the second box. In this case the parameter was 2

Question 3:
Yes, I would like only one results, so dedup the copy, to have consistent data.
I have written 2 equals pathname in this example, to make understand at the other people

Question4:
Yes, if they don't match my criteria(parameter) they have to stay unchange

Thank you so much

Re: How to edit my current rex search to extract path names?

Federica_92 — Mon, 23 Mar 2015 12:34:06 GMT

For now, I have created 2 queries, one that write all the results that are not changing, and another one that write the results that are changing:

  search: mvc.tokenSafe("index=main File:read | rex \"\\s\\-\\s\\[(?<path_dd>.+)\ $mytoken2$\" | dedup path_dd | eval path=path_dd+\"*\" | sort by path| table path | outputlookup output.csv append=True")

Re: How to edit my current rex search to extract path names?

fdi01 — Tue, 24 Mar 2015 13:14:24 GMT

you can explaint your lab correctly?

Re: How to edit my current rex search to extract path names?

woodcock — Mon, 10 Aug 2015 16:50:14 GMT

Like this:

for "2":

index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/2/.*%/*%" | stats values(new_path)

for "home":

index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/home/.*%/*%" | stats values(new_path)

Re: How to edit my current rex search to extract path names?

Federica_92 — Tue, 11 Aug 2015 08:13:34 GMT

thank you : )