My search looks like this
base search | rex ".?(?[^,]+),\s?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+)"
| eval Total_Disk=Total_Disk/1000
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory
Here, I am dividing the Total_Disk by 1000. But, in table statistics Total_Disk not printing any values.
How to get the data according to my requirement.
Thank You
How about this?
base search| rex "^\s*(?<server>[^,]+),\s*(?<NODE>[^,]+),\s*(?<date>\d{4}-\d{2}-\d{2}),\s*(?<time>\d{2}\:\d{2}),\s*(?<Count>\d+),\s*(?<CPU>[^,]+),\s*(?<Total_Disk>[^,]+),\s*(?<Used_Disk>[^,]+),\s*(?<Total_Memory>[^,]+),\s*(?<Used_Memory>\S+)"
| eval Total_Disk=tonumber(Total_Disk)/1000
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory
How about this?
base search| rex "^\s*(?<server>[^,]+),\s*(?<NODE>[^,]+),\s*(?<date>\d{4}-\d{2}-\d{2}),\s*(?<time>\d{2}\:\d{2}),\s*(?<Count>\d+),\s*(?<CPU>[^,]+),\s*(?<Total_Disk>[^,]+),\s*(?<Used_Disk>[^,]+),\s*(?<Total_Memory>[^,]+),\s*(?<Used_Memory>\S+)"
| eval Total_Disk=tonumber(Total_Disk)/1000
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory
Perfect !
Can you explain that ?
I initially started with fixing the regex, but I believe that was not the issue. The issue could be the wrong case used in Total_Disk field name (used Total_disk instead of Total_Disk), in the last query you posted.
That one i tried, no result came.
You changed the regex by adding \d{4}-\d{2}-\d{2})
I don't understand,what it does?
\d is for digits. I basically explicitly provided format of date and time fields. I kike to be specific where I can.
My guess is field Total_Disk is not extracted (value is null). So try running this to confirm if the value is extracted or not. If not (field Total_Disk is null/blank), paste your sample event and query again (and make sure you select the query and click on Ctrl+K or "101010" button to apply code formatting).
base search | rex ".?(?[^,]+),\s?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+)"
| eval Total_Disk1=Total_Disk/1000
| table _time server NODE Count CPU Total_Disk Total_Disk1 Used_Disk Total_Memory Used_Memory
base search| rex ".*?(?<server>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<date>[^,]+),\s*?(?<time>[^,]+),\s*?(?<Count>[^,]+),\s*?(?<CPU>[^,]+),\s*?(?<Total_Disk>[^,]+),\s*?(?<Used_Disk>[^,]+),\s*?(?<Total_Memory>[^,]+),\s*?(?<Used_Memory>[^,]+)"
| eval Total_Disk=Total_disk/1000
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory
This is my search
Try this
base search| rex ".*?(?<server>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<date>[^,]+),\s*?(?<time>[^,]+),\s*?(?<Count>[^,]+),\s*?(?<CPU>[^,]+),\s*?(?<Total_Disk>[^,]+),\s*?(?<Used_Disk>[^,]+),\s*?(?<Total_Memory>[^,]+),\s*?(?<Used_Memory>[^,]+)"
| eval Total_Disk=tonumber(Total_disk)/1000
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory
This is also not giving the results. Null values are coming.
is Total_Disk a field with values coming back before your rex command? after your rex command? what does the data look like before your eval statement?
Total_Disk value coming after the rex command.
@prathapkcsc, Please re-post your search query with code button (101010) so that special characters do not get escaped. Would it be possible for you to add some sample events as well?
If possible use Splunk Interactive Field Extraction(IFX) instead of rex to make sure that field is getting extracted as you expect. You can also test your regular expression through IFX regex101.com. (https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX)
DataNode,Hadoop,2017-06-17,23:05,26, 0.18, 1149876, 7231, 251, 70.8462
Flume,Hadoop,2017-06-17,23:05,9, 0.23, 108345, 114, 125, 17.6667
ResourceManager,Hadoop,2017-06-17,23:05,2, 0.11, 22146,320, 125, 9
ZooKeeper,Hadoop,2017-06-17,23:05,5, 0.2, 63747, 977, 125, 10
Foyer,Hadoop,2017-06-17,23:05,2, 0.14, 22146,320, 125, 10.5
Splunk,Hadoop,2017-06-17,23:05,1, 0.06, 40959, 106, 251, 3
This is my sample data
base search
| rex ".*?(?<server>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<date>[^,]+),\s*?(?<time>[^,]+),\s*?(?<Count>[^,]+),\s*?(?<CPU>[^,]+),\s*?(?<Total_Disk>[^,]+),\s*?(?<Used_Disk>[^,]+),\s*?(?<Total_Memory>[^,]+),\s*?(?<Used_Memory>[^,]+)"
| eval Total_Disk=Total_Disk/1000
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory