Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I search to filter?

sekhar463
Path Finder
‎01-16-2023 01:19 AM

hai All,

i have events like below 

from how can i filter events if for ex: 6th character in C*E**M  IS M want to filter all OR 6th character is H how can i filter all those

please assist

C*E**M****} JAWS Process to copy the legacy Virtu ORDERDETAILSs data from IMFT to network folder
C*E**M****} JAWS Process to copy the legacy Virtu Orders data from IMFT to network folder
C*E**M****} box that contains the processes to load Portware EOD files to APP_ETT database
C*E**M****} box that load the OMS legacy tables 1 11.111%
C*E3VL****} Box that contains the jobs to download and process the ITG Placement Inbound file
C*E**H****}ox that contains the processes t

Labels (2)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-16-2023 02:44 AM

You can filter using two methods, 

index=index_name source=sourcetype 
| regex _raw="DESCRIPTION=\".{5}(?:M|H)" 
| table JOID,JOB_NAME,DESCRIPTION,JOB_GROUP,STATUS,LAST_START,LAST_END,NEXT_START,RUNTIME
| sort -time

Or,

index=index_name source=sourcetype 
| rex "DESCRIPTION=\".{5}(?<sixth_char>.)"
| table JOID,JOB_NAME,sixth_char,DESCRIPTION,JOB_GROUP,STATUS,LAST_START,LAST_END,NEXT_START,RUNTIME
| search sixth_char IN ("H","M")
| sort -time
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-16-2023 01:59 AM

Hi @sekhar463,

I thought that you wanted to extract the sixth char, please try below to filter,

| regex _raw="DESCRIPTION=\".{5}(?:M|H)"

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sekhar463
Path Finder
‎01-16-2023 02:20 AM

not getting results

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-16-2023 01:32 AM

Hi @sekhar463,

You use below to extract 6th char in events;

| rex "^.{5}(?<sixth_char>.)"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sekhar463
Path Finder
‎01-16-2023 02:17 AM

while adding this regex its giving 0 

actually once extracted i want to create 

can you give me the correct query please. i am using below query

 

index=index_name source=sourcetype | rex "^.{5}(?<sixth_char>.)"
| table JOID,JOB_NAME,sixth_char,DESCRIPTION,JOB_GROUP,STATUS,LAST_START,LAST_END,NEXT_START,RUNTIME
| sort -time

0 Karma
Reply

sekhar463
Path Finder
‎01-16-2023 01:38 AM

getting Zero while executing 

sample event

 

2023-01-16 03:30:01.715, JOID="80562", NAME="jobs name", DESCRIPTION="C***VM****}  extracting crd data from CS_BROKER table for ", JOB_NAME="job name",  RUN_NUM="408972404", NTRY="1", AVG_RUN_TIME="34",  STATUS_CODE="4", STATUS="SUCCESS", STATUS_TIME="2023/01/13 17:04:03", LAST_START="2023/01/13 17:03:29", LAST_END="2023/01/13 17:04:02", DATE_CONDITIONS="0", RUNTIME="33", EXIT_CODE="0"

 

 

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...