All Apps and Add-ons

how to trim output

marees123
Path Finder

Hi Experts,

i'm getting the below output in my search (index=LB example.domain.com* "monitor status *")

May 4 20:16:05 netloadBalance_1a notice mcpd[7457]: 01070727:5: Pool /Common/example.domain.com member /Common/192.168.2.24:443 monitor status up. [ /Common/tcp_443: up ] [ was up for 55hrs:23mins:26sec ]

i would like to get the output like

example.domain.com 192.168.2.24:443 monitor status up

please advise

Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This should do the trick.

index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P<domain>[^ ]+).*\/(?P<status>[\d\.:]+ monitor status \w+\.)" | table domain status

Replace "&lt;" and "&gt;" with "<" and ">", respectively.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

This should do the trick.

index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P<domain>[^ ]+).*\/(?P<status>[\d\.:]+ monitor status \w+\.)" | table domain status

Replace "&lt;" and "&gt;" with "<" and ">", respectively.

---
If this reply helps you, Karma would be appreciated.

marees123
Path Finder

Thank you Richgalloway,

im getting the second output... 192.168.2.24:443 monitor status up

need to get the first output also which is the url name, like....

example.domain.com 192.168.2.24:443 monitor status up

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've updated my answer. You may need to adjust the regex depending on if "/Common/" is a fixed string or not.

---
If this reply helps you, Karma would be appreciated.

marees123
Path Finder

Thank you ....

Yes... It is working fine

can we concatenate that domain & status together?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Certainly. Just use an eval like this eval foo=domain+" "+status

---
If this reply helps you, Karma would be appreciated.

marees123
Path Finder

Sorry Richgalloway...

where do i need to insert this command... i'm poor in quries...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Put it before the table command then change the table command to table foo.

---
If this reply helps you, Karma would be appreciated.

marees123
Path Finder

you are awesome...

thanks a lot.. its working perfectly 🙂

0 Karma

marees123
Path Finder

Hi Richgalloway

Sorry....

what we need to do to display like a below sentence...

example.domain.com monitor status changed to up/down on node 192.168.2.24:443

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You have most of what you need already. All you have to do is tweak the regex string and the eval:

index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P&lt;domain&gt;[^ ]+).*\/(?P&lt;node&gt;[\d\.:]+) monitor status (?P&lt;status&gt;\w+\.)" | eval sentence=domain+" monitor status changed to "+status+" on node "+node | table sentence
---
If this reply helps you, Karma would be appreciated.

marees123
Path Finder

Thanks a lot ....:-)

0 Karma

marees123
Path Finder

Hi Richgalloway,

example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:18
example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:18
example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:22
example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:22
example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:22
example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:26

shall i get a single entry for down and up in a single search.... if the domain name and IP address is same...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's easily done using the dedup command.

index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P&lt;domain&gt;[^ ]+).*\/(?P&lt;node&gt;[\d\.:]+) monitor status (?P&lt;status&gt;\w+\.)" | dedup domain node | eval sentence=domain+" monitor status changed to "+status+" on node "+node | table sentence
---
If this reply helps you, Karma would be appreciated.
0 Karma

marees123
Path Finder

Thank you:-)

but it is displaying only UP not down...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It is displaying the most recent status. To show the most recent down and up states, change the dedup command to dedup domain node status.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Great! Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...