Hey together,
My input is a dynamic input:
SysH=1.0;MemU=4871;MemF=3173;SwpU=5227;SwpF=10860;PrcC=95; eclipse.exe=0.175, firefox.exe=0.04, Dwm.exe=0.028, javaw.exe=0.025, Explorer.EXE=0.016; eclipse.exe=1611500, firefox.exe=1393504, javaw.exe=1180432, sidebar.exe=741164, PrivacyIconClient.exe=643392;CPUH=0.92;CPULd=0.08;CPUNonIdl=0.11;MemH=1.0;NetDownR=983399, eth7=0, eth6=0, eth11=0, eth0=0;NetUpR=17994, eth7=0, eth6=0, eth11=0, eth0=0;=0, eth10=0, eth12=0, eth15=0, eth9=0, eth14=0;
As you can see, I've got two fields with the same name but different values. What I wanna do is to add an "m_" in front of the name of the bigger one. I guess it's just possible with regex.
In fact, I would not ask you for that if it was a static input.
The programm.exe parts are dynamic. But I really need to find a way to rename one of the fields in every case.
Hope some of you can help me.
Thanks!
The easiest solution is probably to rewrite the events with SEDCMD in props.conf on your indexer (or Heavy Forwarder);
[your sourcetype]
SEDCMD-blah = s/(\w+\.exe=\d{4,})/m_\1/g
As you can see, there are some assumptions here;
1) that all the stuff you want to rename ends in .exe
2) that they have at least a 4-digit value (i.e. greater than 1000)
3) that the binaries (i.e. field names) can contain only certain characters.
Adjust these things to suit your actual environment. Please note that this will actually change the events before the are written to disk, so if your'e not allowed to tamper with the data, this might not be the way to go.
UPDATE:
Perhaps I should also explain what to do instead 🙂
It's essentially the same type of regex. While it looks like the events are altered, they are in fact not. Since the rex operates on the _raw
field, they will look different in the search results. However, that change is not permanent.
your search for events
| fields + _raw
| rex field=_raw mode=sed "s/(\w+\.exe=\d{4,})/m_\1/g"
| kv kvdelim="="
First you clear all the fields except _raw
, then do the rex
renaming, then extract the fields.
Hope this helps,
K
The easiest solution is probably to rewrite the events with SEDCMD in props.conf on your indexer (or Heavy Forwarder);
[your sourcetype]
SEDCMD-blah = s/(\w+\.exe=\d{4,})/m_\1/g
As you can see, there are some assumptions here;
1) that all the stuff you want to rename ends in .exe
2) that they have at least a 4-digit value (i.e. greater than 1000)
3) that the binaries (i.e. field names) can contain only certain characters.
Adjust these things to suit your actual environment. Please note that this will actually change the events before the are written to disk, so if your'e not allowed to tamper with the data, this might not be the way to go.
UPDATE:
Perhaps I should also explain what to do instead 🙂
It's essentially the same type of regex. While it looks like the events are altered, they are in fact not. Since the rex operates on the _raw
field, they will look different in the search results. However, that change is not permanent.
your search for events
| fields + _raw
| rex field=_raw mode=sed "s/(\w+\.exe=\d{4,})/m_\1/g"
| kv kvdelim="="
First you clear all the fields except _raw
, then do the rex
renaming, then extract the fields.
Hope this helps,
K
great! Thank you very much!
updated with search-time voodoo as well.