below is the value of a field.
what i would like to do is do a regex where i would output node# + temperature.
example output:
Node0_temperature=26 degrees C / 78 degrees F
Node1_temperature=29 degrees C / 84 degrees F
thanks,
node0: -------------------------------------------------------------------------- Routing Engine status: Slot 0: Current state Master Election priority Master (default) Temperature 26 degrees C / 78 degrees F CPU temperature 41 degrees C / 105 degrees F DRAM 98254 MB (98304 MB installed) Memory utilization 4 percent 5 sec CPU utilization: User 0 percent Background 0 percent Kernel 4 percent Interrupt 1 percent Idle 95 percent node1: -------------------------------------------------------------------------- Routing Engine status: Slot 0: Current state Master Election priority Master (default) Temperature 29 degrees C / 84 degrees F CPU temperature 41 degrees C / 105 degrees F DRAM 98254 MB (98304 MB installed) Memory utilization 4 percent 5 sec CPU utilization: User 0 percent Background 0 percent Kernel 2 percent Interrupt 0 percent Idle 98 percent
What are we looking at? Is that raw data or results from a Splunk search? Is it one event, two, or many? Which fields are extracted already? What regex/query have you tried so far?
Assuming that's a single _raw event, then you want something like this
| rex max_match=0 "(?s)(?<nodeNum>node\d+):.*?Temperature\s+(?<temp>[^\n]*)"
| eval Temps=mvzip(nodeNum, temp, "=")
which will do a ". matches newline" match (?s) and extract both fields to nodeNum and temp fields
the mzvip will then join the two together.
quick question on this output. how can i modify it, if there are multiple Temperature fields under node0?
how can i capture the other Temperature values under the same node #?
| rex max_match=0 "(?s)(?<nodeNum>node\d+):.*?Temperature\s+(?<temp>[^\n]*)" | eval Temps=mvzip(nodeNum, temp, "=")
@bowesmana i got a new one.
using similar regex. how can i do a query where it will provide output if will provide output per NODE0 or NODE1 and display only if each line after "/var" if the line does not have "no such file or directory"
node0:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory
/var/: blablablaba.txt
node1:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory
so the output will end up being:
NODE0:
/var/: blablablaba.txt
NODE1:
null/blank/nothing
I am not sure how you'd write the regex to extract multiple /var lines that are 'connected' to the node - but I suggest asking this question in a new topic, so more eyes will get to see it.
thank you,
i will do that, if i can make it easier for you. using the same search string you gave me.
how can i modify it so that it grabs every single line.
node0:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory
/var/: blablablaba.txt
node1:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory
output expecting:
node0,/var/: No such file or directory
node0,/var/tmp/: No such file or directory
node0,/var/: blablablaba.txt
node1,/var/: No such file or directory
node1,/var/tmp/: No such file or directory
What are we looking at? Is that raw data or results from a Splunk search? Is it one event, two, or many? Which fields are extracted already? What regex/query have you tried so far?
sorry me again, what if i wanted to add a third paramater? example 'last reboot reason' ?
haha im stuck yet again
Did you intend to accept @bowesmana 's answer? I have not provided one, yet.
thank you very much, this worked really well.. 🙂
i may ask for a few more help later on. 🙂
thank you also @bowesmana for the help.
hi thank you very much for replying.
this is the raw data, and one event.
within that event, splunk extracted the output provided, as a single field.
so technically you can ignore about the field, treat this as a single event. 🙂