Hi users,
I automatically import some log-files to Splunk using a script. The naming convention for those files is somehow arbitrary.
My aim is to produce a panel depicting the totals of the logs for each file in a stacked manner. Till here we are good.
The problem is that the log-file names are pretty awkward and long given the fact that they also reveal the complete path as to where they came from. I want to present to the viewer only the most intuitive part of the log-file name.
Here is what I managed to do but it doesn't work as expected.
sourcetype=nessus source=*SNMP* earliest=-1mon@mon latest=now signature_id=41028| rex "source.*SNMP public community \((?<area>.*)\)" |chart count(dest_dns) by area
I assume that the "source" of the file is not appeared within the log itself, maybe. And that's why I can't filter it with rex
Are you aware of any other technique that might help me to display only a particular part of the source-name?
Regards,
Evang
Try this for rex. Field can be used to pick any available fields which splunk provides on the left hand side and then the rex expression which you write will be applied on that field.
|rex field=source "*SNMP public community \((?<area>.*)\)""
You can have rex
match against any field you like, including the source
field. Just use the field=
parameter to rex
.
http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Rex
Okay, sorry, false alarm!
It was the multi-series mode which I've never played with, and for first time was by default switched on.
Many thanks to both!
Regards,
Evang
That is excellent! It worked like a charm! Thanks to both of you!
However, one thing occurred. The output has two separated charts rather than one, and thus I can't stack the results.
Any idea?
Regards,
Evang
Try this for rex. Field can be used to pick any available fields which splunk provides on the left hand side and then the rex expression which you write will be applied on that field.
|rex field=source "*SNMP public community \((?<area>.*)\)""