Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

filed Extraction using regex in a query?

kalyanilandge
New Member
‎01-04-2017 10:45 PM

Hi Team,

I have data like below:

\launching VM
Initializing Wed 2017-01-04 02:22:48
Going-stop Wed 2017-01-04 02:23:16
stop Wed 2017-01-04 02:23:17
Going-Start Wed 2017-01-04 02:23:17
Start Wed 2017-01-04 02:23:17

I want to find the lastest status of a particular host.
How to grep the first field and show it as a status?
The status is changing for every minute so the dahsboard should show the current status of the particular host.
Any help is appreciated.

Tags (1)
0 Karma
Reply

gokadroid
Motivator
‎01-05-2017 08:40 AM

It will require two adjustments:

  • Exclude events in query
  • Changing refresh interval of the query to get you the real-time view.

If you don't want launching VM you can exclude that in your base query like:

index=yourIndex sourectype=yourSourcetype NOT(launching VM)
| rex "^(?<status>[^\s]+) | stats latest(status) by host

For the part to get the latest realtime results you can either use real time search or the refresh option of the query, panel or dashboard. See here:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Aboutrealtimesearches
https://answers.splunk.com/answers/483783/define-refresh-interval-for-formdashboard.html#answer-4840...

0 Karma
Reply

kalyanilandge
New Member
‎01-05-2017 05:10 AM

Thank you for you answers it is helpful, but it is giving the result \launching VM as well.
I want output like this :

Host Status
A Start
B Stop
C Start

The example which I have given is a single event for only one Host.I dont want \launching.I just want last line of the event for one host and grep whether it is start or stop.The number of lines in the event is not fixed.Status is always changing.The current status i need to display in the dashboard.

0 Karma
Reply

zshainsky
Splunk Employee
Splunk Employee
‎01-05-2017 07:17 AM

Can you post a more descriptive example of your log format and desired output. In your first example, you say that you only listed a single event for one Host. Does that mean these are multi line events?

0 Karma
Reply

jplumsdaine22
Influencer
‎01-05-2017 01:44 AM

Assuming each line is a single event (ie _raw="Initializing Wed 2017-01-04 02:22:48") Then the following should get you started:

... <your search> | rex "^(?<status>[^\s]+) | stats latest(status) by host
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...