Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create regex with space delimiter field

gwes77
Explorer
‎11-26-2019 12:39 PM

Hello all, a regex is needed that's way above my head:
I have a message field in the notable index that holds multiple space delimiter hostnames on a host down alert. I need to separate out these values for a timechart. A sample of what is in the message field for each notable is listed below. I will need to exclude everything after hosts= and everything before \ncount=144 and each hostname has space in between. I want to call the new field criticalhosts. 

hosts=XXXXC01 XXXXC05 XXXXM86 \ncount=144

Once that's done, I will need to do a stats count to show how many hosts went down per day over a month. I tried it with stats delim=" " but I am missing the first and last values in the field due to the extra verbiage. Thanks for the help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-26-2019 01:34 PM

From SPL do it like this:

.. | makeresults | eval _raw="host=a b c d e \ncount=144"
| kv

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "(?s)host=(?<host>[^\r\n=]+).*count=(?<count>\d+)"
| rex field=host mode=sed "s/\\\n.*$//"
| makemv host
| stats sum(count) AS downcount BY host

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-26-2019 01:34 PM

From SPL do it like this:

.. | makeresults | eval _raw="host=a b c d e \ncount=144"
| kv

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "(?s)host=(?<host>[^\r\n=]+).*count=(?<count>\d+)"
| rex field=host mode=sed "s/\\\n.*$//"
| makemv host
| stats sum(count) AS downcount BY host
Reply
Solved! Jump to solution

gwes77
Explorer
‎11-27-2019 06:31 AM

Would have never thought of that. Thanks for saving me time!

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...