Solved: How to perform a regex where grouping multiple lin...

tha_ghost99 · ‎11-23-2022

below is the value of a field.

what i would like to do is do a regex where i would output node# + temperature.

example output:

Node0_temperature=26 degrees C / 78 degrees F

Node1_temperature=29 degrees C / 84 degrees F

thanks,




node0:
--------------------------------------------------------------------------
Routing Engine status:
  Slot 0:
    Current state                  Master
    Election priority              Master (default)
    Temperature                 26 degrees C / 78 degrees F
    CPU temperature             41 degrees C / 105 degrees F
    DRAM                      98254 MB (98304 MB installed)
    Memory utilization           4 percent
    5 sec CPU utilization:
      User                       0 percent
      Background                 0 percent
      Kernel                     4 percent
      Interrupt                  1 percent
      Idle                      95 percent

node1:
--------------------------------------------------------------------------
Routing Engine status:
  Slot 0:
    Current state                  Master
    Election priority              Master (default)
    Temperature                 29 degrees C / 84 degrees F
    CPU temperature             41 degrees C / 105 degrees F
    DRAM                      98254 MB (98304 MB installed)
    Memory utilization           4 percent
    5 sec CPU utilization:
      User                       0 percent
      Background                 0 percent
      Kernel                     2 percent
      Interrupt                  0 percent
      Idle                      98 percent

richgalloway · ‎11-23-2022

What are we looking at? Is that raw data or results from a Splunk search? Is it one event, two, or many? Which fields are extracted already? What regex/query have you tried so far?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

bowesmana · ‎11-23-2022

Assuming that's a single _raw event, then you want something like this

| rex max_match=0 "(?s)(?<nodeNum>node\d+):.*?Temperature\s+(?<temp>[^\n]*)"
| eval Temps=mvzip(nodeNum, temp, "=")

which will do a ". matches newline" match (?s) and extract both fields to nodeNum and temp fields

the mzvip will then join the two together.

tha_ghost99 · ‎11-28-2022

@bowesmana

quick question on this output. how can i modify it, if there are multiple Temperature fields under node0?

how can i capture the other Temperature values under the same node #?

| rex max_match=0 "(?s)(?<nodeNum>node\d+):.*?Temperature\s+(?<temp>[^\n]*)"
| eval Temps=mvzip(nodeNum, temp, "=")

tha_ghost99 · ‎11-24-2022

@bowesmana i got a new one.

using similar regex. how can i do a query where it will provide output if will provide output per NODE0 or NODE1 and display only if each line after "/var" if the line does not have "no such file or directory"

node0:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory
/var/: blablablaba.txt

node1:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory

so the output will end up being:

NODE0:

/var/: blablablaba.txt

NODE1:

null/blank/nothing

bowesmana · ‎11-24-2022

I am not sure how you'd write the regex to extract multiple /var lines that are 'connected' to the node - but I suggest asking this question in a new topic, so more eyes will get to see it.

tha_ghost99 · ‎11-25-2022

@bowesmana

thank you,

i will do that, if i can make it easier for you. using the same search string you gave me.

how can i modify it so that it grabs every single line.

node0:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory
/var/: blablablaba.txt

node1:
--------------------------------------------------------------------------
/var/: No such file or directory
/var/tmp/: No such file or directory

output expecting:

node0,/var/: No such file or directory
node0,/var/tmp/: No such file or directory
node0,/var/: blablablaba.txt

node1,/var/: No such file or directory
node1,/var/tmp/: No such file or directory

richgalloway · ‎11-23-2022

What are we looking at? Is that raw data or results from a Splunk search? Is it one event, two, or many? Which fields are extracted already? What regex/query have you tried so far?

---
If this reply helps you, Karma would be appreciated.

tha_ghost99 · ‎11-23-2022

sorry me again, what if i wanted to add a third paramater? example 'last reboot reason' ?

haha im stuck yet again

@richgalloway

richgalloway · ‎11-23-2022

Did you intend to accept @bowesmana 's answer? I have not provided one, yet.

---
If this reply helps you, Karma would be appreciated.

tha_ghost99 · ‎11-23-2022

thank you very much, this worked really well.. 🙂

@richgalloway

i may ask for a few more help later on. 🙂

thank you also @bowesmana for the help.

tha_ghost99 · ‎11-23-2022

hi thank you very much for replying.

this is the raw data, and one event.

within that event, splunk extracted the output provided, as a single field.

so technically you can ignore about the field, treat this as a single event. 🙂

How to perform a regex where grouping multiple lines to a single field/value?

regex

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes