Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to not display the source only as a Atmchk1a for the entire path?

abhi04
Communicator
‎02-16-2018 09:38 AM

I have source below:

/prod/app/atm/ATMCHKMI1a/logs/catalina.out
/prod/app/atm/ATMCHKMI2a/logs/catalina.out
/prod/app/atm/ATMFOTN1a/logs/catalina.out
/prod/app/atm/ATMFITNA2a/logs/catalina.out
/prod/app/atm/ATMATMASS1a/logs/catalina.out
/prod/app/atm/ATMATMASS2a/logs/catalina.out

I want the source to display only as an Atmchk1a for first and so on and not the entire path.
How to do it?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-16-2018 07:32 PM

I think rex with capture groups would enable you to get the name and site efficiently:

| makeresults | eval source="/prod/app/atm/ATMCHKMI1a/logs/catalina.out"
| append [| makeresults | eval source="/prod/app/atm/ATMCHKMI2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFOTN1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFITNA2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS2a/logs/catalina.out"]

| rex field=source "^/([^/]+/){3}(?<name>[^/]+(?<site>[0-9]+)[^/]+?)/"
| eval site="site ".site
| table name site <other fields>

The regex looks for three path components before the extracted name, with site extracted as the last digits of the name.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-16-2018 07:32 PM

I think rex with capture groups would enable you to get the name and site efficiently:

| makeresults | eval source="/prod/app/atm/ATMCHKMI1a/logs/catalina.out"
| append [| makeresults | eval source="/prod/app/atm/ATMCHKMI2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFOTN1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMFITNA2a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS1a/logs/catalina.out"]
| append [| makeresults | eval source="/prod/app/atm/ATMATMASS2a/logs/catalina.out"]

| rex field=source "^/([^/]+/){3}(?<name>[^/]+(?<site>[0-9]+)[^/]+?)/"
| eval site="site ".site
| table name site <other fields>

The regex looks for three path components before the extracted name, with site extracted as the last digits of the name.

0 Karma
Reply
Solved! Jump to solution

abhi04
Communicator
‎02-16-2018 07:55 PM

Hi Micahkemp,

It did not work,

We now have got the source as below from the full path which I wanted.
ATMatmasst1a

ATMatmasst2a

ATMatmasstportal1a

ATMcdprof1a
ATMcdprof2a
ATMchkimg1a
ATMchkimg2a
ATMchkimgclt1prod

ATMciv1a

ATMcmprspclt1prod

ATMcrdreissueclt1prod

ATMcusprof1a

ATMcusprof2a

ATMdepositjamclt1prod

ATMelgbacctflnkg1a

ATMelgbacctflnkg2a

ATMercpt1a

But now I want a table which which shows in a below manner

source site host starttime

where
ATMcusprof2a is site 2

ATMelgbacctflnkg1a is site 1

and so on.....

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-16-2018 07:59 PM

Changed it to add the word "site" to the site field, and added in a table command.

0 Karma
Reply
Solved! Jump to solution

abhi04
Communicator
‎02-16-2018 08:16 PM

Thanks Micahkemp, appreciated your help.

0 Karma
Reply
Solved! Jump to solution

abhi04
Communicator
‎02-16-2018 08:21 PM

HI Micahkemp,

Can you please tell me good sites from where I can learn regex?

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-16-2018 09:40 PM

@abhi04,
https://regexone.com/ is also good site to start regex learning

Reply
Solved! Jump to solution

micahkemp
Champion
‎02-16-2018 08:22 PM

https://regex101.com/ is a great site to test regexes. As for learning them, I'd have to defer to google on that one, as I don't have a recommendation handy.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-16-2018 09:57 AM

You can use rex in sed mode:

<base search>|rex field=source mode=sed "s/^\/[^\/]+\/[^\/]+\/[^\/]+\/(\w+).*/\1/"

OR simply use rex command:

 <base search>|rex field=source "^\/[^\/]+\/[^\/]+\/[^\/]+\/(?<source>\w+)"

try this run anywhere search:

|makeresults|eval source="/prod/app/atm/ATMCHKMI1a/logs/catalina.out"|rex field=source mode=sed "s/^\/[^\/]+\/[^\/]+\/[^\/]+\/(\w+).*/\1/"
0 Karma
Reply
Solved! Jump to solution

abhi04
Communicator
‎02-16-2018 07:23 PM

Thanks, It worked.
Also, if I want to separate into two site as well i.e. ATMCHKMI1a shows as site 1 and ATMCHKMI2a shows as site 2 and similarly for others. How to do that?

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-16-2018 07:38 PM

yes as @micahkemp suggested try this regex to get separate site name w.r.t. source name,

| rex field=source "^/([^/]+/){3}(?<source>[^/]+(?<site>[0-9]+)[^/]+?)/"
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...