Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: REX with a variable rather than a string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have a large chunk of raw data from one of my servers and am trying to filter the data down using a multiple REX statements.
From the data, I run a REX to return my first value, for example:
mysearch | rex"ProcessID:(?<PROCESS>)"
This works fine and I can see that the value is correct. I would then like to use the value of PROCESS in a further REX statement:
searchAsAbovve | rexAsAbove | rex "<PROCESS>(?<CPU>)"
I have tried multiple variations but I believe the PROCESS value is being input as a string rather than taking the value extracted from the previous REX.
Can anyone advise if there is a way to tell Splunk that the second REX is using a variable rather than a string? I have also tried using EVAL, for example eval "ProcID"=PROCESS then using the eval field in my REX statement but appear to get the same result.
Perhaps there is a better way of achieving this.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a thought:
... | rex "(?<PID>\d+)\" = \"rsyslogd\"" | eval RAM = replace(_raw, ".*" + PID + "\" = \"(\d+)\".*", "\1") | ...
That'll extract the 1134 before "rsyslogd" and use that in the replace() to locate the number after the equals sign, replacing the entire string with just that number - effectively extracting the field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a thought:
... | rex "(?<PID>\d+)\" = \"rsyslogd\"" | eval RAM = replace(_raw, ".*" + PID + "\" = \"(\d+)\".*", "\1") | ...
That'll extract the 1134 before "rsyslogd" and use that in the replace() to locate the number after the equals sign, replacing the entire string with just that number - effectively extracting the field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The key here is to work around the apparent shortcoming of rex - static regex strings with no field value replacement - and achieve the same thing with eval that obviously can use field values.
The replace()'s regex matches the entire _raw event, replacing everything with the content of the first capturing group - the RAM usage.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked perfectly thank you. Now I'm just trying to understand exactly what is going on rather than just use the answer but I've done a few tests and it seems to be doing exactly what I need so thank you very much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The extract is an SNMP query from a server. It returns the process ID's and the RAM used for each. I am using an initial REX to identify the PID, then I need to use the PID to identify the RAM used. i.e.
REX to identify the PID of rsyslogd would = 1134.
I then use EVAL or direct in to another REX to add the PID to the following SNMP query to determine the number that is returned after SNMPv2-SMI::mib-2."25.5.1.1.2.1134" = " which is 1576. This is the RAM used for this particular process.
As the PID will change on each boot, I need to search for the unique PID every time for accuracy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Martin, good point and I'll try to elaborate with the extract below:
SNMPv2-SMI::mib-2."25.4.2.1.2.1127" = "upstart-socket-" SNMPv2-SMI::mib-2."25.5.1.1.2.1127" = "388" SNMPv2-SMI::mib-2."25.4.2.1.2.1134" = "rsyslogd" SNMPv2-SMI::mib-2."25.5.1.1.2.1134" = "1576" SNMPv2-SMI::mib-2."25.4.2.1.2.1173" = "dbus-daemon" SNMPv2-SMI::mib-2."25.5.1.1.2.1173" = "988" SNMPv2-SMI::mib-2."25.4.2.1.2.1271" = "kworker/9:2" SNMPv2-SMI::mib-2."25.5.1.1.2.1271" = "0" SNMPv2-SMI::mib-2."25.4.2.1.2.1320" = "sshd" SNMPv2-SMI::mib-2."25.5.1.1.2.1320" = "2928"
Next comment will have details due to char limit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Answering regular-expression-based questions without a look at the (anonymized?) raw data is nigh-on impossible, even for us 😛
Using a field value probably isn't going to work, but there might be an entirely different way to solve the issue.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
Announcing Modern Navigation: A New Era of Splunk User Experience
