How do I evaluate on column in space and tab delim...

HelloItsMe76 · ‎05-17-2023

Hello all.

I have a log file that looks like this;

PROCESS UP STATUS RESTARTS AGE
PROCESS1 2/2 Running 0 6d19h
PROCESS2aaa 2/2 Completed 0 7d6h
PROCESS3 0/1 Running 6 6d19h

I am trying to evaluate on the RESTART colum. The length of the process name is not consistent and some files are tab delimited and some are space delimited.

I cant get my rex command to work. Any help would be very appreciated.

ITWhisperer · ‎05-17-2023

Try something like this

| rex "(?<PROCESS>\S+)\s+(?<UP>\S+)\s+(?<STATUS>\S+)\s+(?<RESTARTS>\S+)\s+(?<AGE>\S+)"

HelloItsMe76 · ‎05-22-2023

Hey, thanks for the reply. that basically just returns whats already there. I would like to show the data as a table and be able to filter and return rows where, for example, AGE <2. At the moment it doesnt seem to recognise that data as a table and hence i cant filter on AGE, or other columns.

ITWhisperer · ‎05-22-2023

If the rex is not extracting the fields (which would be shown as columns in a table), then the rex expression (based on your sample data) does not match your real data.

Please provide an accurate representation of your actual event data, preferably in a code block </> to reduce formatting corruption.

How do I evaluate on column in space and tab delimited logs?

rex

table

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)