Splunk Search

How to edit my current rex search to extract path names?

Communicator

Hi everyone,

I have a problem building an SPL query with the regular expression:

This is an example of my data:
These are all pathname

 root/home/1/2/3/4/5/6/
 root/home/1/2/3/4
 root/home/0/9/11
 root/home/0/9/22

and so on...

I would like edit my data in the base of one specific folder, so for example, if the folder is 2, I would like to obtain:

 root/home/1/*
 root/home/1/*
 root/home/0/9/11
 root/home/0/9/22

If the folder was home my data are:

root/*

Actually, all my pathname are raw data, so to extract them I use this search, that's work fine:

  index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | fields path_d

How can I create a new search, using the results of this previous search, that do what I have ask before?

Please, let me know.

Tags (4)
0 Karma
1 Solution

Esteemed Legend

Like this:

for "2":

index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/2/.*%/*%" | stats values(new_path)

for "home":

index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/home/.*%/*%" | stats values(new_path)

View solution in original post

Esteemed Legend

Like this:

for "2":

index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/2/.*%/*%" | stats values(new_path)

for "home":

index=main | rex "\\s\\-\\s\\[(?<path_d>.+)\]" | eval new_path=path_d | rex field=new_path mode=sed "s%/home/.*%/*%" | stats values(new_path)

View solution in original post

Communicator

thank you : )

0 Karma

SplunkTrust
SplunkTrust

I'd like to confirm what it is that you want to do by asking some questions:

Question 1:
Do your events only contain the path that you want, or are you getting the path as you describe in the first code box from the extracted values from your rex command (in the path_d result)?

Question 2:
Would you like the final output of the search from the events in the first box to look exactly like the results in the second box (specifically that you also have 4 entries)?

Question 3:
Do you only want one result as you show in the third box (only one event), or would you want four evants all the same (your results seem to be inconsistent if not)?

Question 4:
Do you want the results that don't match your criteria (e.g. 2 or home subdirectories) to be unchanged?

0 Karma

Communicator

Question1 :
To get the path, I'm using the rex command, and they are: path_d results.

Question2 :
I can have infinite entry, like 10000 of events, in base of the parameters of the user, I would like wildcard a specific parameter. And I would like have the results of only the second box. In this case the parameter was 2

Question 3:
Yes, I would like only one results, so dedup the copy, to have consistent data.
I have written 2 equals pathname in this example, to make understand at the other people

Question4:
Yes, if they don't match my criteria(parameter) they have to stay unchange

Thank you so much

0 Karma

Communicator

For now, I have created 2 queries, one that write all the results that are not changing, and another one that write the results that are changing:

  search: mvc.tokenSafe("index=main File:read | rex \"\\s\\-\\s\\[(?<path_dd>.+)\ $mytoken2$\" | dedup path_dd | eval path=path_dd+\"*\" | sort by path| table path | outputlookup output.csv append=True")
0 Karma

Motivator

you can explaint your lab correctly?

0 Karma