Re: Extracting values (with rex) out of the last t...

amatthes · ‎01-10-2020

Hey everbody

I have two different evens for the same file. I need to extract the latest values and concat it to one string.

File:
foo=bar
foo1=bar1
foo2=bar2
foo3=bar3

Event 1:
foo=new_bar
foo1=new_bar1

Event 2:
foo2=new_bar2
foo3=new_bar3

Output:
NEED1 NEED2
"" or "none" new_bar1
"new_bar2" "" or "none"

Expected string:
new_bar2 new_bar3

Is it possible?

Thanks for your help.

jarizeloyola · ‎01-10-2020

Im not sure if I parsed your question correctly but based from what I understand you want to get the 2 latest events and concat it with a string. Based from your given example your log is in key/field=value form so that is automatically extracted . If you want to get the latest values it is better to use stats, its a lot faster and efficient instead of using sort which is too intensive , sorting should always be in the last.

index=MY_INDEX sourcetype=my:source stats latest | stats latest(foo1) as foo1 latest(foo2) as foo2 | eval NEED1="new_".foo1 | eval NEED2="new_".foo2 | table NEED1 NEED2

Just incase you need a rex |rex field=_raw "fo(\w|\w\d+)\=(?<value>[a-z0-9].*)"

to4kawa · ‎01-10-2020

Various important points have disappeared.

please use code sample. 101010

Extracting values (with rex) out of the last two events and concat as one string?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?