topic Re: Filter a Search by Field Value, using Rex in Splunk Search

Filter a Search by Field Value, using Rex

ctallarico20 — Tue, 17 Jun 2014 14:27:45 GMT

Hi, I'm looking for a way to run one summary index search on all files of the same sourcetype, and then identify individual files by defining characteristics. For example, a sample log output is:

222 Mon Jun 16 07:00:47 EDT 2014 13384426 2 PS MarkSweep 0 0.0 0 0.0 519045120 524288000 519045120 119919880

and I know that every log from this file will contain either "PS MarkSweep" or "PS Scavenge" in the same position, which in this case is rex field | rex "(?i)^(?:[^ ]* ){5}\\d+\\t\\d+\\t\\d+\\t(?P<FIELDNAME>[^\\t]+)" |. How can I run the search returning results only where FIELDNAME is "PS MarkSweep" or "PS Scavenge"? Thank you!!

Re: Filter a Search by Field Value, using Rex

martin_mueller — Tue, 17 Jun 2014 15:30:12 GMT

Not sure if I understand the question correctly, but I'd do this:

PS MarkSweep OR Scavenge | rex "(?i)^(?:[^ ]* ){5}\\d+\\t\\d+\\t\\d+\\t(?P<FIELDNAME>[^\\t]+)" | search FIELDNAME="PS MarkSweep" OR FIELDNAME="PS Scavenge"

Note, the bit in the front is for performance gain - that way Splunk will only load events off disk if they contain those words. Consider adding the field extraction to the sourcetype in props.conf.

Re: Filter a Search by Field Value, using Rex

chimmi04 — Thu, 03 Aug 2017 14:19:59 GMT

Aha Its the search command I was looking for, thanks @martin_mueller 🙂