Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Security
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Query formatting error.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jerinvarghese
Communicator
01-28-2020
01:31 AM
Need help in filtering words from the RAW output.
Below is a sample message that am getting from my index.
2020-01-24T18:48:03.593Z USDALPOD03-DCNPL2023 <29> ifIndex 515, ifAdminStatus up(1), ifOperStatus up(1), ifName et-0/0/50
2020-01-24T18:48:01.793Z USDALPOD03-DCNPL2023 <28> ifIndex 515, ifAdminStatus up(1), ifOperStatus down(2), ifName et-0/0/50
Below is the code that am using.
index=nw_syslog "et-*" "ifoper*"
| rex field=_raw "ifName (?<Interface>.*)"
| rex field=_raw "ifOperStatus (?<Status>.*)"
| table hostname, Status, Interface
Below is the output that am getting.
hostname Status Interface
USDALPOD03-DCNPL2023 up(1), ifName et-0/0/50 et-0/0/50
USDALPOD03-DCNPL2023 down(2), ifName et-0/0/50 et-0/0/50
Expected output
hostname Status Interface Time
USDALPOD03-DCNPL2023 up et-0/0/50 XX:XX:XX
USDALPOD03-DCNPL2023 down et-0/0/50 XX:XX:XX
While am giving | rex field=_raw "ifOperStatus (?.*)(" this qurry, its giving me error. please help in formatting.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
01-28-2020
01:46 AM
Hi @jerinvarghese,
at first use this regex
ifIndex\s+(?<ifIndex>[^,]*),\sifAdminStatus\s+(?<ifAdminStatus>[^,]*),\s+ifOperStatus\s+(?<Status>[^\(]*)\(\d+\),\s+ifName\s+(?<Interface>.*)
that you can test at https://regex101.com/r/KRBboF/2
So you can modify your output having a search like this:
index=nw_syslog "et-*" "ifoper*"
| rex "ifIndex\s+(?<ifIndex>[^,]*),\sifAdminStatus\s+(?<ifAdminStatus>[^,]*),\s+ifOperStatus\s+(?<Status>[^\(]*)\(\d+\),\s+ifName\s+(?<Interface>.*)"
| table hostname, Status, Interface
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
01-28-2020
01:46 AM
Hi @jerinvarghese,
at first use this regex
ifIndex\s+(?<ifIndex>[^,]*),\sifAdminStatus\s+(?<ifAdminStatus>[^,]*),\s+ifOperStatus\s+(?<Status>[^\(]*)\(\d+\),\s+ifName\s+(?<Interface>.*)
that you can test at https://regex101.com/r/KRBboF/2
So you can modify your output having a search like this:
index=nw_syslog "et-*" "ifoper*"
| rex "ifIndex\s+(?<ifIndex>[^,]*),\sifAdminStatus\s+(?<ifAdminStatus>[^,]*),\s+ifOperStatus\s+(?<Status>[^\(]*)\(\d+\),\s+ifName\s+(?<Interface>.*)"
| table hostname, Status, Interface
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jerinvarghese
Communicator
01-28-2020
03:09 AM
Thanks so much for the regex command.
I edited little more in that
index=nw_syslog "et-*" "ifoper*"
| rex "ifIndex\s+(?<ifIndex>[^,]*),\sifAdminStatus\s+(?<ifAdminStatus>[^,]*),\s+ifOperStatus\s+(?<Status>[^\(]*)\(\d+\),\s+ifName\s+(?<Interface>.*)"
| stats latest(_time) as Time_CST count by hostname, Status, Interface
| sort - Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| table hostname, Status, Interface, Time_CST, count
Output came as
hostname Status Interface Time_CST count
USDALPOD03-DCNPL2023 up et-0/0/50 01/24/20 12:48:03 2
USDALPOD03-DCNPL2023 down et-0/0/50 01/24/20 12:48:01 1
USDALPOD03-DCNPL2023 up et-0/0/48 01/24/20 12:33:27 2
USDALPOD03-DCNPL2023 down et-0/0/48 01/24/20 12:33:26 1
USDALPOD03-DCNPL2021 down et-0/0/48 01/24/20 10:26:53 1
USDALPOD03-DCNPL2021 up et-0/0/48 01/24/20 10:26:52 1
Is it possible to dedup the Interface w.r.t to the hostname and display the latest one Status based.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
01-28-2020
05:13 AM
Hi @jerinvarghese,
if you want to list all the Statuses, you can modify your stats command in
| stats latest(_time) as Time_CST values(Status) AS Status count by hostname Interface
if instead you want only the last one:
| stats latest(_time) as Time_CST max(Status) AS Status count by hostname Interface
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
01-28-2020
03:27 AM
your search
| dedup hostname, Interface
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open.
If ...
Announcing Modern Navigation: A New Era of Splunk User Experience
We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...
