Splunk Search

How do I edit my search to find certain strings in my data and replace them with other strings?

Communicator

Hi guys,

I have this specific search that I want to edit:

index="tablet_os" sourcetype="df" host=dc1* sda3 OR Data| multikv fields FileSystem, UsePct  | strcat host '@' Filesystem Host_FileSystem  | timechart span=60m avg(UsePct) by Host_FileSystem  | rename avg(UsePct) as %Used

and currently, it displays a graph with certain information. What I want to edit is as follows:

dc1prmtbap01/dev/mapper/localraid-Data TO BE CHANGED TO dc1prmtbap01 /data

dc1prmtbap01 /dev/sda3 TO BE CHANGED TO dc1prmtbap01/root

Sorry for the lack of clarity, but if you need me to further explain something, please don't hesitate to ask. Thanks in advance for your help.

0 Karma
1 Solution

Champion

I'm assuming those are in the Host_FileSystem field, so maybe something like this (untested)

 index="tablet_os" sourcetype="df" host=dc1* sda3 OR Data
 | multikv fields FileSystem, UsePct  
 | strcat host '@' Filesystem Host_FileSystem
 | eval Host_FileSystem = case(Host_FileSystem = "dc1prmtbap01/dev/mapper/localraid-Data","dc1prmtbap01 /data",Host_FileSystem = "dc1prmtbap01 /dev/sda3","dc1prmtbap01/root",1=1,Host_FileSystem)
 | timechart span=60m avg(UsePct) by Host_FileSystem  
 | rename avg(UsePct) as %Used

View solution in original post

0 Karma

Champion

I'm assuming those are in the Host_FileSystem field, so maybe something like this (untested)

 index="tablet_os" sourcetype="df" host=dc1* sda3 OR Data
 | multikv fields FileSystem, UsePct  
 | strcat host '@' Filesystem Host_FileSystem
 | eval Host_FileSystem = case(Host_FileSystem = "dc1prmtbap01/dev/mapper/localraid-Data","dc1prmtbap01 /data",Host_FileSystem = "dc1prmtbap01 /dev/sda3","dc1prmtbap01/root",1=1,Host_FileSystem)
 | timechart span=60m avg(UsePct) by Host_FileSystem  
 | rename avg(UsePct) as %Used

View solution in original post

0 Karma

Communicator

Hey maciep and thanks for you're anwser. It modified it for the first bars, but the rest are still in the long form.

0 Karma

Champion

Ok, you only mentioned those two initially. It's kind of hard to give you a better idea of how to make a similar change for everything without seeing all of your data. Are the short forms available anywhere in your events or are they just something you know them as? Do you have an exhaustive list of mappings long names to short names? Or is there a pattern that can be applied to the long names to come up with the short names?

We're flying kinda blind here 🙂

0 Karma

Communicator

I am sorry, i forgot to mention its for servers 02, 03, and 04. Would I just take your example and create several more cases or is there a shorter way to do it?

0 Karma

Champion

if the paths are the same, then this might work. But hardcoding the case statements for 4 servers isn't too bad either.

The idea would be to grab the host part of the Host_FileSystem field. Then change your case to match on the path minus the host info. Then depending on which path matches, either /data or /root to the host we grabbed earlier.

But in general, there are probably a few different ways to tackles something like this. And the better you understand the data, the more options you'll likely have.

Again, not tested at all...

 index="tablet_os" sourcetype="df" host=dc1* sda3 OR Data
 | multikv fields FileSystem, UsePct  
 | strcat host '@' Filesystem Host_FileSystem
 | rex field=Host_FileSystem "(?<path_host>[^/]+)"
  | eval Host_FileSystem = case(match(Host_FileSystem,"dev/mapper/localraid-Data"),path_host."/data",match(Host_FileSystem,"dev/sda3"),path_host."/root",1=1,Host_FileSystem)
 | timechart span=60m avg(UsePct) by Host_FileSystem  
 | rename avg(UsePct) as %Use

Communicator

Yes the paths are the same. That worked really well, except I forgot to mention there is also an 05, but the strange thing is it worked for /root but not for dc1prmtbap05/dev/mapper/localraid-Data.

It also did not change dc1prmtbap04/dev/mapper/localraid-Data to be just /data. Other then those two everything else worked great!

0 Karma