Solved: Need help with query

Mrig342 · ‎04-19-2021

Hi All,

I am trying to create a query for the below type of logs in a server:

log1: Thu Apr 15 07:31:31 EDT 2021 73% /var

log2: Thu Apr 15 07:31:31 EDT 2021 46% /opt

log3: Thu Apr 15 07:31:31 EDT 2021 50% /apps

log4: Thu Apr 15 07:31:31 EDT 2021 1% /logs

log5: 1% /logs 50% /apps 46% /opt 73% /var

Note: log5 is the just the combined values of log1 to log4.

Here using the query "index=abc sourcetype=INFRA_FS | rex field=_raw "(?ms)\s(?<Disk_Usage>\d+)%" | rex field=_raw "(?ms)\%\s(?<File_System>\/\w+)" | search host=29xyz | table File_System,Disk_Usage", I am getting the below table:

File_System Disk_Usage

/var 73
/opt 46
/apps 50
/logs 1
/logs 50

Here, an extra log is coming up in the table from log5. I want only the first 4 logs to be considered and the the 5 log should be avoided/removed.

Can anyone please help me to create a query to get the output in the desired way..?? You kind support will be highly appreciated.

Thank you.

ITWhisperer · ‎04-19-2021

| regex _raw!="^\d+%"
| rex field=_raw "(?ms)\s(?<Disk_Usage>\d+)%"
| rex field=_raw "(?ms)\%\s(?<File_System>\/\w+)"

View solution in original post

ITWhisperer · ‎04-19-2021

| regex _raw!="^\d+%"
| rex field=_raw "(?ms)\s(?<Disk_Usage>\d+)%"
| rex field=_raw "(?ms)\%\s(?<File_System>\/\w+)"

Mrig342 · ‎04-19-2021

Thank you ITWhisperer. Your support is highly appreciated.

Need help with query

table

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio