I have not used regex in my queries much. Any help in resolving this would be much helpful.
I have the following log:
INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213803 and 266946419581359002
INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213903 and 266946419581359003
I wish to obtain the following result:
----------------------------------------------
suspect | altSuspect
----------------------------------------------
262352812954213803 | 266946419581359002
262352812954213903 | 266946419581359003
----------------------------------------------
i.e. The IDs obtained on the logs as suspect and altSuspect.
try this:
| makeresults count =1
| eval data = " INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213803 and 266946419581359002
;INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213903 and 266946419581359003"
| makemv delim=";" data
| mvexpand data
| rex field=data "for\s(?<suspect>\d+)\sand\s(?<altSuspect>\d+)"
| table suspect altSuspect
screenshot:
hope it helps
try this:
| makeresults count =1
| eval data = " INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213803 and 266946419581359002
;INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213903 and 266946419581359003"
| makemv delim=";" data
| mvexpand data
| rex field=data "for\s(?<suspect>\d+)\sand\s(?<altSuspect>\d+)"
| table suspect altSuspect
screenshot:
hope it helps
Thanks Adonio ! 🙂
If it's not clear from the above, the piece you need, @Nidd, is to add after whatever search you have to return your rows...
| rex field=data "for\s(?<suspect>\d+)\sand\s(?<altSuspect>\d+)"
| table suspect altSuspect
Those two lines should extract your two fields then create a table out of them for you.
Happy Splunking!
-Rich
Thank you Rich 🙂