Hi everyone,
I have a problem building an SPL query with the regular expression:
This is an example of my data:
These are all pathname
root/home/1/2/3/4/5/6/
root/home/1/2/3/4
root/home/0/9/11
root/home/0/9/22
and so on...
I would like edit my data in the base of one specific folder, so for example, if the folder is 2, I would like to obtain:
root/home/1/*
root/home/1/*
root/home/0/9/11
root/home/0/9/22
If the folder was home my data are:
root/*
Actually, all my pathname are raw data, so to extract them I use this search, that's work fine:
index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | fields path_d
How can I create a new search, using the results of this previous search, that do what I have ask before?
Please, let me know.
Like this:
index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/2/.*%/*%" | stats values(new_path)
index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/home/.*%/*%" | stats values(new_path)
Like this:
index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/2/.*%/*%" | stats values(new_path)
index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/home/.*%/*%" | stats values(new_path)
thank you : )
I'd like to confirm what it is that you want to do by asking some questions:
Question 1:
Do your events only contain the path that you want, or are you getting the path as you describe in the first code box from the extracted values from your rex command (in the path_d
result)?
Question 2:
Would you like the final output of the search from the events in the first box to look exactly like the results in the second box (specifically that you also have 4 entries)?
Question 3:
Do you only want one result as you show in the third box (only one event), or would you want four evants all the same (your results seem to be inconsistent if not)?
Question 4:
Do you want the results that don't match your criteria (e.g. 2
or home
subdirectories) to be unchanged?
Question1 :
To get the path, I'm using the rex command, and they are: path_d results.
Question2 :
I can have infinite entry, like 10000 of events, in base of the parameters of the user, I would like wildcard a specific parameter. And I would like have the results of only the second box. In this case the parameter was 2
Question 3:
Yes, I would like only one results, so dedup the copy, to have consistent data.
I have written 2 equals pathname in this example, to make understand at the other people
Question4:
Yes, if they don't match my criteria(parameter) they have to stay unchange
Thank you so much
For now, I have created 2 queries, one that write all the results that are not changing, and another one that write the results that are changing:
search: mvc.tokenSafe("index=main File:read | rex \"\\s\\-\\s\\[(?<path_dd>.+)\ $mytoken2$\" | dedup path_dd | eval path=path_dd+\"*\" | sort by path| table path | outputlookup output.csv append=True")
you can explaint your lab correctly?