Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field extraction of multi-line event with header
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ricotries
Communicator
03-10-2020
01:59 PM
I have a script for Linux that executes "sar -n DEV" and formats the output to look like:
Linux <kernel version> (<hostname>) <date> <arch> (<#> CPU)
Average: <interface> <field1> <field2> <field3>
Average: <interface> <field1> <field2> <field3>
Average: <interface> <field1> <field2> <field3>
Using Splunk Web's field extractor, I have a regex that applies field extraction to the first "Average:" line. How do I make it so the field is applied to as many "Average:" lines exist?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
03-11-2020
04:15 AM
| makeresults
| eval _raw="
Linux <kernel version> (<hostname>) <date> <arch> (<#> CPU)
Average: <interface> <field1> <field2> <field3>
Average: <interface> <field1> <field2> <field3>
Average: <interface> <field1> <field2> <field3>"
| rex max_match=0 "(?ms)Average:\s+(?<interface>\S+)\s+(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)"
try REGEX option (?ms) and max_match
transforms.conf
[your stanza]
REGEX = (?ms)Average:\s+(?<interface>\S+)\s+(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)
MV_ADD = true
I haven't try this. how about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
03-11-2020
04:15 AM
| makeresults
| eval _raw="
Linux <kernel version> (<hostname>) <date> <arch> (<#> CPU)
Average: <interface> <field1> <field2> <field3>
Average: <interface> <field1> <field2> <field3>
Average: <interface> <field1> <field2> <field3>"
| rex max_match=0 "(?ms)Average:\s+(?<interface>\S+)\s+(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)"
try REGEX option (?ms) and max_match
transforms.conf
[your stanza]
REGEX = (?ms)Average:\s+(?<interface>\S+)\s+(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)
MV_ADD = true
I haven't try this. how about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ricotries
Communicator
03-11-2020
05:06 AM
Would I have to make one REPORT entry per field or can I combine them all into one if I try to do this as a search-time extraction? I saw a key in transforms.conf that could apply for what I'm trying to do (MV_ADD).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
03-11-2020
06:16 AM
yes, REGEX and MV_ADD is. my answer is updated.
Get Updates on the Splunk Community!
There's No Place Like Chrome and the Splunk Platform
Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...
The Great Resilience Quest: 5th Leaderboard Update
The fifth leaderboard update for The Great Resilience Quest is out >>
🏆 Check out the ...
Devesh Logendran, Splunk, and the Singapore Cyber Conquest
At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...
