Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting values (with rex) out of the last two events and concat as one string?

amatthes
Observer
‎01-10-2020 02:02 AM

Hey everbody

I have two different evens for the same file. I need to extract the latest values and concat it to one string.

File:
foo=bar
foo1=bar1
foo2=bar2
foo3=bar3

Event 1:
foo=new_bar
foo1=new_bar1

Event 2:
foo2=new_bar2
foo3=new_bar3

Search:
index=MY_INDEX sourcetype=my:source | sort - _time | head 2 | rex field=_raw "foo1=(?(.))" | rex field=_raw "foo2=(?(.))" | table NEED1 NEED2

Output:
NEED1 NEED2
"" or "none" new_bar1
"new_bar2" "" or "none"

Expected string:
new_bar2 new_bar3

Is it possible?

Thanks for your help.

Tags (1)
0 Karma
Reply

jarizeloyola
Path Finder
‎01-10-2020 05:35 AM

Im not sure if I parsed your question correctly but based from what I understand you want to get the 2 latest events and concat it with a string. Based from your given example your log is in key/field=value form so that is automatically extracted . If you want to get the latest values it is better to use stats, its a lot faster and efficient instead of using sort which is too intensive , sorting should always be in the last.

index=MY_INDEX sourcetype=my:source stats latest
| stats latest(foo1) as foo1 latest(foo2) as foo2
| eval NEED1="new_".foo1
| eval NEED2="new_".foo2
| table NEED1 NEED2

Just incase you need a rex |rex field=_raw "fo(\w|\w\d+)\=(?<value>[a-z0-9].*)"

0 Karma
Reply

to4kawa
Ultra Champion
‎01-10-2020 04:38 AM

Various important points have disappeared.

please use code sample. 101010

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...