Getting Data In

How to not display the source only as a Atmchk1a for the entire path?

abhi04
Communicator

I have source below:

/prod/app/atm/ATMCHKMI1a/logs/catalina.out
/prod/app/atm/ATMCHKMI2a/logs/catalina.out
/prod/app/atm/ATMFOTN1a/logs/catalina.out
/prod/app/atm/ATMFITNA2a/logs/catalina.out
/prod/app/atm/ATMATMASS1a/logs/catalina.out
/prod/app/atm/ATMATMASS2a/logs/catalina.out

I want the source to display only as an Atmchk1a for first and so on and not the entire path.
How to do it?

Tags (2)
0 Karma
1 Solution

micahkemp
Champion

I think rex with capture groups would enable you to get the name and site efficiently:

| makeresults | eval source="/prod/app/atm/ATMCHKMI1a/logs/catalina.out"
| append [| makeresults | eval source="/prod/app/atm/ATMCHKMI2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFOTN1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFITNA2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS2a/logs/catalina.out"]

| rex field=source "^/([^/]+/){3}(?<name>[^/]+(?<site>[0-9]+)[^/]+?)/"
| eval site="site ".site
| table name site <other fields>

The regex looks for three path components before the extracted name, with site extracted as the last digits of the name.

View solution in original post

0 Karma

micahkemp
Champion

I think rex with capture groups would enable you to get the name and site efficiently:

| makeresults | eval source="/prod/app/atm/ATMCHKMI1a/logs/catalina.out"
| append [| makeresults | eval source="/prod/app/atm/ATMCHKMI2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFOTN1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFITNA2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS2a/logs/catalina.out"]

| rex field=source "^/([^/]+/){3}(?<name>[^/]+(?<site>[0-9]+)[^/]+?)/"
| eval site="site ".site
| table name site <other fields>

The regex looks for three path components before the extracted name, with site extracted as the last digits of the name.

0 Karma

abhi04
Communicator

Hi Micahkemp,

It did not work,

We now have got the source as below from the full path which I wanted.
ATMatmasst1a

ATMatmasst2a

ATMatmasstportal1a

ATMcdprof1a
ATMcdprof2a
ATMchkimg1a
ATMchkimg2a
ATMchkimgclt1prod

ATMciv1a

ATMcmprspclt1prod

ATMcrdreissueclt1prod

ATMcusprof1a

ATMcusprof2a

ATMdepositjamclt1prod

ATMelgbacctflnkg1a

ATMelgbacctflnkg2a

ATMercpt1a

But now I want a table which which shows in a below manner

source site host starttime

where
ATMcusprof2a is site 2

ATMelgbacctflnkg1a is site 1

and so on.....

0 Karma

micahkemp
Champion

Changed it to add the word "site" to the site field, and added in a table command.

0 Karma

abhi04
Communicator

Thanks Micahkemp, appreciated your help.

0 Karma

abhi04
Communicator

HI Micahkemp,

Can you please tell me good sites from where I can learn regex?

0 Karma

493669
Super Champion

@abhi04,
https://regexone.com/ is also good site to start regex learning

micahkemp
Champion

https://regex101.com/ is a great site to test regexes. As for learning them, I'd have to defer to google on that one, as I don't have a recommendation handy.

0 Karma

493669
Super Champion

You can use rex in sed mode:

<base search>|rex field=source mode=sed "s/^\/[^\/]+\/[^\/]+\/[^\/]+\/(\w+).*/\1/"

OR simply use rex command:

 <base search>|rex field=source "^\/[^\/]+\/[^\/]+\/[^\/]+\/(?<source>\w+)"

try this run anywhere search:

|makeresults|eval source="/prod/app/atm/ATMCHKMI1a/logs/catalina.out"|rex field=source mode=sed "s/^\/[^\/]+\/[^\/]+\/[^\/]+\/(\w+).*/\1/"
0 Karma

abhi04
Communicator

Thanks, It worked.
Also, if I want to separate into two site as well i.e. ATMCHKMI1a shows as site 1 and ATMCHKMI2a shows as site 2 and similarly for others. How to do that?

0 Karma

493669
Super Champion

yes as @micahkemp suggested try this regex to get separate site name w.r.t. source name,

| rex field=source "^/([^/]+/){3}(?<source>[^/]+(?<site>[0-9]+)[^/]+?)/"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...