Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Execute regex based on condition

vaishnavi07
Explorer
‎06-13-2014 03:34 AM

I have to display the counters starting with # and also % if the sourcetype is "PerfmonMk:.Net CLR Exceptions" and for other sourcetype(PerfmonMk:Processor) i have to display the counters starting with % only. I use the following regex commands,

Counters starting with # and % : |  regex column="#[_A-Za-z]*|%[_A-Za-z]*"
Counters starting with % : |  regex column="%[_A-Za-z]*"

Is there any way to do this?

Tags (1)
Reply

grijhwani
Motivator
‎06-13-2014 04:27 AM

Just construct the one regex to match all your cases. I can't see what the issue is with matching [#%][_A-Za-z]* (which is just a contraction of your first example regex). If hash is never present, what's the big deal? The regex will still match.

0 Karma
Reply

aweitzman
Motivator
‎06-16-2014 07:16 AM

OK, I think I misunderstood your question initially, and my first suggestion isn't really valid. But the second one should help a bit:

sourcetype="PerfmonMk:Processor" | table sourcetype %* | append [search sourcetype="PerfmonMk:.Net CLR Exceptions" | table #* %*]

The problem with field names is that they can only be referred to by wildcards, not by regex. Hopefully this will work well enough for you.

0 Karma
Reply

vaishnavi07
Explorer
‎06-16-2014 01:40 AM

Hi Can you please give me an example?

0 Karma
Reply

aweitzman
Motivator
‎06-13-2014 09:55 AM

  1. You could use the single regex as described, and then use a 'where' clause to eliminate the events you don't want.

  2. You could run two different searches with your two different regexes and use 'append' to turn them into a single result set.

0 Karma
Reply

vaishnavi07
Explorer
‎06-13-2014 05:22 AM

If i write single regex command and select sourcetype as "PerfmonMk:Processor" then the counters starting with # will get displayed. I don't need that. Only if i select the sourcetype "PerfmonMk:.Net CLR Exceptions" the counters that starts with # should get displayed.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...