Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create regex with space delimiter field

gwes77
Explorer
‎11-26-2019 12:39 PM

Hello all, a regex is needed that's way above my head:
I have a message field in the notable index that holds multiple space delimiter hostnames on a host down alert. I need to separate out these values for a timechart. A sample of what is in the message field for each notable is listed below. I will need to exclude everything after hosts= and everything before \ncount=144 and each hostname has space in between. I want to call the new field criticalhosts. 

hosts=XXXXC01 XXXXC05 XXXXM86 \ncount=144

Once that's done, I will need to do a stats count to show how many hosts went down per day over a month. I tried it with stats delim=" " but I am missing the first and last values in the field due to the extra verbiage. Thanks for the help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-26-2019 01:34 PM

From SPL do it like this:

.. | makeresults | eval _raw="host=a b c d e \ncount=144"
| kv

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "(?s)host=(?<host>[^\r\n=]+).*count=(?<count>\d+)"
| rex field=host mode=sed "s/\\\n.*$//"
| makemv host
| stats sum(count) AS downcount BY host

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-26-2019 01:34 PM

From SPL do it like this:

.. | makeresults | eval _raw="host=a b c d e \ncount=144"
| kv

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "(?s)host=(?<host>[^\r\n=]+).*count=(?<count>\d+)"
| rex field=host mode=sed "s/\\\n.*$//"
| makemv host
| stats sum(count) AS downcount BY host
Reply
Solved! Jump to solution

gwes77
Explorer
‎11-27-2019 06:31 AM

Would have never thought of that. Thanks for saving me time!

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...