- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Filter a specific field from event -
I have a file which gives me the following output :-
srvrmgr> list comps SHOW SV_NAME,CP_DISP_RUN_STATE,CP_STARTMODE,CP_NUM_RUN_TASKS,CP_MAX_TASKS,CP_ACTV_MTS_PROCS,CP_MAX_MTS_PROCS,CP_START_TIME,CP_END_TIME,CC_ALIAS
SV_NAME CP_DISP_RUN_STATE CP_STARTMODE CP_NUM_RUN_TASKS CP_MAX_TASKS CP_ACTV_MTS_PROCS CP_MAX_MTS_PROCS CP_START_TIME CP_END_TIME CC_ALIAS
-------- ------------------- ------------ ---------------- ------------ ----------------- ---------------- ------------------- ------------------- ---------------
---------
lnx001 Online Auto 0 50 1 1 2022-07-18 03:53:03 comp_123 comp_123
lnx003 Online Auto 0 50 1 1 2022-07-18 03:53:03 comp_456 comp_123
lnx005 Online Auto 0 20 1 1 2022-07-18 03:53:03 comp_123 comp_123
lnx007 Online Manual 0 50 0 1 2022-07-18 03:53:03 comp_987
lnx010 Online Manual 0 500 0 5 2022-07-18 03:53:03 comp_564
lnx011 Online Auto 643 4000 40 40 2022-07-18 03:53:03 comp_123
I only want to extract the 1st,4th(numeric) and where comp_name=comp_123, discarding all the other entries and show 1st field as host, 4th field as runningtasks and final field as component.. Please help me with the filters
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since this output is clearly from some solution external to splunk, the question is whether you're preparing to ingest that data to splunk or do you have it already ingested in splunk in some form. If it's not yet ingested, will you be getting that as a file, events over syslog, any other way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lnx001 Online Auto 1 50 1 1 2022-07-18 03:53:03 comp_123 comp_123
lnx003 Online Auto 1 50 1 1 2022-07-18 03:53:03 comp_456 comp_123
lnx005 Online Auto 1 20 1 1 2022-07-18 03:53:03 comp_123 comp_123
lnx007 Online Manual 1 50 0 1 2022-07-18 03:53:03 comp_987
lnx010 Online Manual 1 500 0 5 2022-07-18 03:53:03 comp_564
lnx011 Online Auto 643 4000 40 40 2022-07-18 03:53:03 comp_123
I want to extract the field post Auto, which shows numeric 1(the numeric value can vary from 1-20). there are multiple fields with numeric 1 or anything in between 1-99 other than this field. As of now I tried this, but this shows all the fields which starts with 1 or any other numeric which has a space before and after the character. it also matches anything starting from 1-99
\s\d{1,2}\s
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You haven't answered my questions.
Do you want to filter at index time or at search time?
The original posting asked about extracting 3 fields, but this reply asked only for the field after Auto. Which is desired? Is the field after Manual to be extracted or ignored?
Which "comp_123" value is the comp_name field? Some events have 2 comp_* fields.
To get the field after Auto, try Auto\s\d+
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want to filter at index time or search time? What have you tried so far? Please share the inputs.conf and props.conf stanzas for the file.
If this reply helps you, Karma would be appreciated.
