Splunk Search

REX expression for multiple extractions in columns

Path Finder

Hello all,

I was hoping I could get a bit of assistance in figuring out a rex expression I could use to extract part numbers that are in column, I have a sample data set below,

part_num      serial_num         type
abc            123                a
bcd            234                a
cde            456                b

Essentially I'm trying to extract all the "part_num" and "serial_num" for "types" of "a", I can extract the first part that matches however I've been unable to figure out how I can extract all fields I need of type a for my events, essentially it would look like this (FYI, I already have the host machine serial number extracted)

rex....
|stats list(part_num) as part_num list(serial_num) as serial_num by host_machine

host_machine.      part_num             serial_num
981-aabbc             abc                    123
                      bcd                    234

and this would display for all my machines. Thank you, and please let me know if there are any questions, I appreciate any help

0 Karma
1 Solution

Esteemed Legend

If your "dataset" above a single event that looks exactly like that, then you need multikv:

http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Multikv

View solution in original post

Esteemed Legend

If your "dataset" above a single event that looks exactly like that, then you need multikv:

http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Multikv

View solution in original post

Path Finder

Yes, your'e right, this looks like it will do the job, thank you.

0 Karma

Esteemed Legend

Is your "dataset" above a single event that looks exactly like that?

0 Karma

SplunkTrust
SplunkTrust

Your sample data set looks like a CSV file. Is it?

If it is, then wouldn't you want to do a lookup by type to get the part_num and serial_num from the lookup table? That would not require a rex statement at all.

If not, what exactly is the sample data set? And is it in Splunk as an event, or what?

0 Karma

Path Finder

No unfortunately this is not csv, (or structured data), essentially this is a large text file, and this data is in tabular format somewhere towards the middle of the file, the easiest way to look at it was if we ran an "ls -t" on a unix server with the headers being at the top, and yes it is in splunk as an event.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!