Solved: How to create regex with space delimiter field

gwes77 · ‎11-26-2019

Hello all, a regex is needed that's way above my head:
I have a message field in the notable index that holds multiple space delimiter hostnames on a host down alert. I need to separate out these values for a timechart. A sample of what is in the message field for each notable is listed below. I will need to exclude everything after hosts= and everything before \ncount=144 and each hostname has space in between. I want to call the new field criticalhosts.

hosts=XXXXC01 XXXXC05 XXXXM86 \ncount=144

Once that's done, I will need to do a stats count to show how many hosts went down per day over a month. I tried it with stats delim=" " but I am missing the first and last values in the field due to the extra verbiage. Thanks for the help.

woodcock · ‎11-26-2019

From SPL do it like this:

.. | makeresults | eval _raw="host=a b c d e \ncount=144"
| kv

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "(?s)host=(?<host>[^\r\n=]+).*count=(?<count>\d+)"
| rex field=host mode=sed "s/\\\n.*$//"
| makemv host
| stats sum(count) AS downcount BY host

View solution in original post

woodcock · ‎11-26-2019

From SPL do it like this:

.. | makeresults | eval _raw="host=a b c d e \ncount=144"
| kv

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "(?s)host=(?<host>[^\r\n=]+).*count=(?<count>\d+)"
| rex field=host mode=sed "s/\\\n.*$//"
| makemv host
| stats sum(count) AS downcount BY host

gwes77 · ‎11-27-2019

Would have never thought of that. Thanks for saving me time!

How to create regex with space delimiter field

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!