I was hoping I could get a bit of assistance in figuring out a rex expression I could use to extract part numbers that are in column, I have a sample data set below,
part_num serial_num type abc 123 a bcd 234 a cde 456 b
Essentially I'm trying to extract all the "part_num" and "serial_num" for "types" of "a", I can extract the first part that matches however I've been unable to figure out how I can extract all fields I need of type a for my events, essentially it would look like this (FYI, I already have the host machine serial number extracted)
|stats list(part_num) as part_num list(serial_num) as serial_num by host_machine
host_machine. part_num serial_num 981-aabbc abc 123 bcd 234
and this would display for all my machines. Thank you, and please let me know if there are any questions, I appreciate any help
Your sample data set looks like a CSV file. Is it?
If it is, then wouldn't you want to do a lookup by type to get the part_num and serial_num from the lookup table? That would not require a rex statement at all.
If not, what exactly is the sample data set? And is it in Splunk as an event, or what?
No unfortunately this is not csv, (or structured data), essentially this is a large text file, and this data is in tabular format somewhere towards the middle of the file, the easiest way to look at it was if we ran an "ls -t" on a unix server with the headers being at the top, and yes it is in splunk as an event.