filed Extraction using regex in a query?

New Member

Hi Team,

I have data like below:

\launching VM
Initializing Wed 2017-01-04 02:22:48
Going-stop Wed 2017-01-04 02:23:16
stop Wed 2017-01-04 02:23:17
Going-Start Wed 2017-01-04 02:23:17
Start Wed 2017-01-04 02:23:17

I want to find the lastest status of a particular host.
How to grep the first field and show it as a status?
The status is changing for every minute so the dahsboard should show the current status of the particular host.
Any help is appreciated.

Tags (1)
0 Karma


It will require two adjustments:

  • Exclude events in query
  • Changing refresh interval of the query to get you the real-time view.

If you don't want launching VM you can exclude that in your base query like:

index=yourIndex sourectype=yourSourcetype NOT(launching VM)
| rex "^(?<status>[^\s]+) | stats latest(status) by host

For the part to get the latest realtime results you can either use real time search or the refresh option of the query, panel or dashboard. See here:

0 Karma

New Member

Thank you for you answers it is helpful, but it is giving the result \launching VM as well.
I want output like this :

Host Status
A Start
B Stop
C Start

The example which I have given is a single event for only one Host.I dont want \launching.I just want last line of the event for one host and grep whether it is start or stop.The number of lines in the event is not fixed.Status is always changing.The current status i need to display in the dashboard.

0 Karma

Splunk Employee
Splunk Employee

Can you post a more descriptive example of your log format and desired output. In your first example, you say that you only listed a single event for one Host. Does that mean these are multi line events?

0 Karma


Assuming each line is a single event (ie _raw="Initializing Wed 2017-01-04 02:22:48") Then the following should get you started:

... <your search> | rex "^(?<status>[^\s]+) | stats latest(status) by host
0 Karma