How to combain two rex

VRP136 · ‎10-09-2024

I have two rex queries and want know how to combine

Query : 1

index=test1 sourcetype=teams
| search "osversion="
| rex field=_raw "\s+(?<osVersion>.*?)$"
| table Time(utc) "OSVersion"

output :

time osversion
1.1 123
1.2 1234
1.3 12345
1.4 123456

Query : 2

index=test1 sourcetype=teams
| search "host=12*
| rex field=_raw "\w+(?<host>*)$"
| table Time(utc) "OSVersion"

output :

time host
1.1 abc
1.2 abcd
1.3 abcde

Pls help me how to combine above queries and should show table like below

time osversion host
1.1 123 abc
1.2 1234 abcd
1.3 12345 abcde

richgalloway · ‎10-09-2024

The queries can be combined like this.

index=test1 sourcetype=teams ("osversion=" OR "host=12*")
| rex field=_raw "\s+(?<osVersion>.*?)$"
| rex field=_raw "\w+(?<host>*)$"
| table Time(utc) "OSVersion" host

That will give you lists of OSVersions and hosts separately, but in a single table. Then you should compare the time values to see if OSVersion and host are in events with the timestamp so they can be merged. If so, then this query will do it.

index=test1 sourcetype=teams ("osversion=" OR "host=12*")
| rex field=_raw "\s+(?<osVersion>.*?)$"
| rex field=_raw "\w+(?<host>*)$"
| stats values(*) as * by "Time(utc)"
| table "Time(utc)" "OSVersion" host

---
If this reply helps you, Karma would be appreciated.

How to combain two rex

rex

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to combain two rex

rex

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...