Splunk Search

How to extract multiple values from a single event in search?

bud4
Engager

Data in an event:
The data contains total processes that can run, number of processes running, userID with which they are running, the pool under which they are running, names of each of them running on a server at a particular time. All processes will run from this directory - /root/user/bin/. They either end with .sh or .deb.

Single Event:

Time: 21:30
Total: 60 Running: 05
mt100 pool1    /root/user/bin/process1.sh
mt100 pool12    /root/user/bin/process21.deb
mt201 pool2    /root/user/bin/process321.sh
mt301 pool3    /root/user/bin/process432.deb
mt301 pool312    /root/user/bin/process52.sh

Question:
How do i extract only the list of process names into a multi value field. I was not able to achieve this through field extraction using regex as it was extracting everything. I tried using rex field option in splunk search, but it wasn't sure where to start since there were multiple values. Any help is greatly appreciated. Thank you

I am trying the get the below values in a single field for the above event:

/root/user/bin/process1.sh
/root/user/bin/process21.deb
/root/user/bin/process321.sh
/root/user/bin/process432.deb
/root/user/bin/process52.sh
0 Karma

jpolvino
Builder

Assuming your spaces are consistent, this might work for you:

| makeresults 
| eval temp="Time: 21:30
Total: 60 Running: 05
mt100 pool1    /root/user/bin/process1.sh
mt100 pool12    /root/user/bin/process21.deb
mt201 pool2    /root/user/bin/process321.sh
mt301 pool3    /root/user/bin/process432.deb
mt301 pool312    /root/user/bin/process52.sh" 
| rex field=temp max_match=0 "(?<=\s\s\s\s)(?<multi>.*)"
| fields - temp

It uses positive lookbehind to match but not consume. You'll end up with a field called multi that has 5 items.

/root/user/bin/process1.sh
/root/user/bin/process21.deb
/root/user/bin/process321.sh
/root/user/bin/process432.deb
/root/user/bin/process52.sh

to4kawa
Ultra Champion
| makeresults 
| eval temp="Time: 21:30
Total: 60 Running: 05
mt100 pool1    /root/user/bin/process1.sh
mt100 pool12    /root/user/bin/process21.deb
mt201 pool2    /root/user/bin/process321.sh
mt301 pool3    /root/user/bin/process432.deb
mt301 pool312    /root/user/bin/process52.sh" 
| eval _raw=replace(temp,"(?m)Total.+$","userID pool processname")
| multikv forceheader=2
| table userID pool processname
| foreach * 
    [eval <<FIELD>> = trim(<<FIELD>>)]

Everyone uses rex, so I tried it in a different way.

potnuru
Path Finder

Hi @to4kawa @jpolvino @woodcock 

Could you please help on the below Query?

I am running Splunk integrity check on index=windowss and getting the output as follows. I want the each bucket name and its integrity check status in the table form.

Like

Bucket        Status

/global/apps/splunk/var/lib/splunk/windowss/db/db_1584626694_1584529970_0  succeeded 

/global/apps/splunk/var/lib/splunk/windowss/db/db_1584698360_1584625847_1  failed

 

Splunk Log:

WatchdogActionsManager reload started.
Starting WatchdogThread for process pid=25552. Threads monitoring is enabled with response timeout set to 8000 ms.
Max bucket size is larger than the index size limit. Please check your index configuration. idx=_introspection; bucket size in MB (from maxDataSize) 1024, maxDataSizeMB=500
Skip bucket='/global/apps/splunk/var/lib/splunk/windowss/db/GlobalMetaData'; directory does not match any of the expected formats: db_<epochLT>_<epochET>_<localID> db_<epochLT>_<epochET>_<localID>_<GUID> rb_<epochLT>_<epochET>_<localID>_<GUID> hot_v1_<localID> hot_quar_v1_<localID>
CMIndexId: New indexName=windowss inserted, mapping to id=1
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1584626694_1584529970_0'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1584626694_1584529970_0
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1584698360_1584625847_1'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1584698360_1584625847_1
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591118937_1591118937_26'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591118937_1591118937_26
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1584701822_1584698576_2'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1584701822_1584698576_2
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591119707_1591119581_27'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591119707_1591119581_27
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1584706575_1584702005_3'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1584706575_1584702005_3
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591167910_1591120372_28'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591167910_1591120372_28
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585034348_1584706740_4'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585034348_1584706740_4
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591185902_1591168391_29'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591185902_1591168391_29
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585034976_1585034570_5'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585034976_1585034570_5
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591196528_1591186143_30'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591196528_1591186143_30
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585233380_1585035220_6'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585233380_1585035220_6
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591197443_1591196937_31'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591197443_1591196937_31
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585587350_1585233595_7'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585587350_1585233595_7
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591202937_1591197915_32'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591202937_1591197915_32
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585590402_1585587540_8'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585590402_1585587540_8
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591285018_1591203418_33'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591285018_1591203418_33
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585650160_1585590609_9'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585650160_1585590609_9
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591290537_1591285638_34'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591290537_1591285638_34
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585651732_1585650436_10'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585651732_1585650436_10
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591380900_1591291018_35'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591380900_1591291018_35
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585652984_1585651955_11'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585652984_1585651955_11
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592474876_1591381676_36'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592474876_1591381676_36
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1586161286_1585653204_12'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1586161286_1585653204_12
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592548925_1592548629_40'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592548925_1592548629_40
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1586443691_1586161566_13'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1586443691_1586161566_13
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592812462_1592549519_41'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592812462_1592549519_41
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1586942890_1586443810_14'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1586942890_1586443810_14
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1586956465_1586943063_15'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1586956465_1586943063_15
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1586962925_1586956667_16'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1586962925_1586956667_16
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1587096268_1586963101_17'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1587096268_1586963101_17
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1587324700_1587096469_18'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1587324700_1587096469_18
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1587558636_1587324901_19'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1587558636_1587324901_19
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/hot_v1_42'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/hot_v1_42
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1589368776_1587558838_20'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1589368776_1587558838_20
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1589371786_1589368956_21'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1589371786_1589368956_21
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1589373537_1589372038_22'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1589373537_1589372038_22
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1589469729_1589373732_23'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1589469729_1589373732_23
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1589807477_1589469992_24'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1589807477_1589469992_24
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591118218_1589807487_25'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591118218_1589807487_25
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592475524_1592475118_37'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592475524_1592475118_37
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592490747_1592476076_38'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592490747_1592476076_38
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592548300_1592490960_39'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592548300_1592490960_39
Total buckets checked=43, succeeded=43, failed=0
Stopping WatchdogThread.

0 Karma

to4kawa
Ultra Champion

 

| makeresults | eval _raw="WatchdogActionsManager reload started.
Starting WatchdogThread for process pid=25552. Threads monitoring is enabled with response timeout set to 8000 ms.
Max bucket size is larger than the index size limit. Please check your index configuration. idx=_introspection; bucket size in MB (from maxDataSize) 1024, maxDataSizeMB=500
Skip bucket='/global/apps/splunk/var/lib/splunk/windowss/db/GlobalMetaData'; directory does not match any of the expected formats: db_<epochLT>_<epochET>_<localID> db_<epochLT>_<epochET>_<localID>_<GUID> rb_<epochLT>_<epochET>_<localID>_<GUID> hot_v1_<localID> hot_quar_v1_<localID>
CMIndexId: New indexName=windowss inserted, mapping to id=1
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1584626694_1584529970_0'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1584626694_1584529970_0
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1584698360_1584625847_1'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1584698360_1584625847_1
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591118937_1591118937_26'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591118937_1591118937_26
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1584701822_1584698576_2'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1584701822_1584698576_2
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591119707_1591119581_27'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591119707_1591119581_27
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1584706575_1584702005_3'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1584706575_1584702005_3
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591167910_1591120372_28'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591167910_1591120372_28
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585034348_1584706740_4'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585034348_1584706740_4
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591185902_1591168391_29'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591185902_1591168391_29
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585034976_1585034570_5'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585034976_1585034570_5
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591196528_1591186143_30'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591196528_1591186143_30
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585233380_1585035220_6'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585233380_1585035220_6
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591197443_1591196937_31'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591197443_1591196937_31
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585587350_1585233595_7'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585587350_1585233595_7
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591202937_1591197915_32'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591202937_1591197915_32
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585590402_1585587540_8'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585590402_1585587540_8
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591285018_1591203418_33'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591285018_1591203418_33
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585650160_1585590609_9'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585650160_1585590609_9
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591290537_1591285638_34'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591290537_1591285638_34
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585651732_1585650436_10'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585651732_1585650436_10
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591380900_1591291018_35'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591380900_1591291018_35
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1585652984_1585651955_11'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1585652984_1585651955_11
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592474876_1591381676_36'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592474876_1591381676_36
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1586161286_1585653204_12'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1586161286_1585653204_12
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592548925_1592548629_40'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592548925_1592548629_40
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1586443691_1586161566_13'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1586443691_1586161566_13
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592812462_1592549519_41'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592812462_1592549519_41
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1586942890_1586443810_14'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1586942890_1586443810_14
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1586956465_1586943063_15'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1586956465_1586943063_15
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1586962925_1586956667_16'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1586962925_1586956667_16
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1587096268_1586963101_17'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1587096268_1586963101_17
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1587324700_1587096469_18'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1587324700_1587096469_18
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1587558636_1587324901_19'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1587558636_1587324901_19
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/hot_v1_42'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/hot_v1_42
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1589368776_1587558838_20'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1589368776_1587558838_20
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1589371786_1589368956_21'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1589371786_1589368956_21
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1589373537_1589372038_22'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1589373537_1589372038_22
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1589469729_1589373732_23'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1589469729_1589373732_23
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1589807477_1589469992_24'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1589807477_1589469992_24
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1591118218_1589807487_25'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1591118218_1589807487_25
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592475524_1592475118_37'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592475524_1592475118_37
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592490747_1592476076_38'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592490747_1592476076_38
Operating on: idx=windowss bucket='/global/apps/splunk/var/lib/splunk/windowss/db/db_1592548300_1592490960_39'
Integrity check succeeded on bucket with path=/global/apps/splunk/var/lib/splunk/windowss/db/db_1592548300_1592490960_39
Total buckets checked=43, succeeded=43, failed=0
Stopping WatchdogThread."
| multikv noheader=t
| table _raw
| rex "(?<bucket>\/\S+)'?"
| rex "(?<status>succeeded|failed)"
| eval bucket=trim(bucket,"'")
| stats values(status) as status by bucket

 

@potnuru 
your sample is wrong. there is not failed event.
and I don't want to be asked a question in an old place.

0 Karma

potnuru
Path Finder

@to4kawa Sorry for posting the question in old thread.

I know there are no failed checks, all are succeeded checks.

The Sample I have given is a Single Event in the Splunk. I am not getting status field when I run the query on my Search Head like below, please help. But it is working if I run your query as it is i.e.. with makeresults.

index=something_windowss
| multikv noheader=t
| table _raw
| rex "(?<bucket>\/\S+)'?"
| rex "(?<status>succeeded|failed)"
| eval bucket=trim(bucket,"'")
| stats values(status) as status by bucket

0 Karma

to4kawa
Ultra Champion

index=something_windows
| rex "(?<bucket>\/\S+)'?"
| rex "(?<status>succeeded|failed)"
| eval bucket=trim(bucket,"'")
| stats values(status) as status by bucket

@potnuru 
how about this?

You may need to separate single events in props.conf.

LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false

0 Karma

potnuru
Path Finder

@to4kawa It will work only if we separate the log into single events. But our requirement is not to break the event into multiple events.

0 Karma

to4kawa
Ultra Champion

| rex "(?<status>succeeded|failed)"

| rex max_match=0 "(?<status>succeeded|failed)"

maybe, it needs others.

0 Karma

potnuru
Path Finder

@to4kawa Initially I tried this only "| rex max_match=0 "(?<status>succeeded|failed)", I am getting bucket name and status as multi-value fields. As all I have are success events, I am not sure if mvindex(status,0) and mvindex(bucket,0) will be from same line. So, I have looked for other solutions and posed the query.

Could you let me know how can we loop through an index(mvindex) from 0,1,2.... till the end. I mean

mvindex(status,0)

mvindex(status,1)

mvindex(status,2)

mvindex(status,3).... till the end of the index.

0 Karma

woodcock
Esteemed Legend

You should check out the multikv command but the answer is this:

| makeresults 
| eval _raw="Time: 21:30
Total: 60 Running: 05
mt100 pool1    /root/user/bin/process1.sh
mt100 pool12    /root/user/bin/process21.deb
mt201 pool2    /root/user/bin/process321.sh
mt301 pool3    /root/user/bin/process432.deb
mt301 pool312    /root/user/bin/process52.sh" 

 | rex max_match=0 "(?<process_name>\/.*)"

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval temp="Time: 21:30
 Total: 60 Running: 05
 mt100 pool1    /root/user/bin/process1.sh
 mt100 pool12    /root/user/bin/process21.deb
 mt201 pool2    /root/user/bin/process321.sh
 mt301 pool3    /root/user/bin/process432.deb
 mt301 pool312    /root/user/bin/process52.sh" 
| rex field=temp max_match=0 "(?P<processname>(\/.+))"
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!