Splunk Search

Regex for dynamic string

Dreads94
Explorer

Hey together,

My input is a dynamic input:

SysH=1.0;MemU=4871;MemF=3173;SwpU=5227;SwpF=10860;PrcC=95; eclipse.exe=0.175, firefox.exe=0.04, Dwm.exe=0.028, javaw.exe=0.025, Explorer.EXE=0.016; eclipse.exe=1611500, firefox.exe=1393504, javaw.exe=1180432, sidebar.exe=741164, PrivacyIconClient.exe=643392;CPUH=0.92;CPULd=0.08;CPUNonIdl=0.11;MemH=1.0;NetDownR=983399, eth7=0, eth6=0, eth11=0, eth0=0;NetUpR=17994, eth7=0, eth6=0, eth11=0, eth0=0;=0, eth10=0, eth12=0, eth15=0, eth9=0, eth14=0;

As you can see, I've got two fields with the same name but different values. What I wanna do is to add an "m_" in front of the name of the bigger one. I guess it's just possible with regex.
In fact, I would not ask you for that if it was a static input.
The programm.exe parts are dynamic. But I really need to find a way to rename one of the fields in every case.

Hope some of you can help me.
Thanks!

0 Karma
1 Solution

kristian_kolb
Ultra Champion

The easiest solution is probably to rewrite the events with SEDCMD in props.conf on your indexer (or Heavy Forwarder);

[your sourcetype]
SEDCMD-blah = s/(\w+\.exe=\d{4,})/m_\1/g

As you can see, there are some assumptions here;
1) that all the stuff you want to rename ends in .exe
2) that they have at least a 4-digit value (i.e. greater than 1000)
3) that the binaries (i.e. field names) can contain only certain characters.

Adjust these things to suit your actual environment. Please note that this will actually change the events before the are written to disk, so if your'e not allowed to tamper with the data, this might not be the way to go.


UPDATE:

Perhaps I should also explain what to do instead 🙂

It's essentially the same type of regex. While it looks like the events are altered, they are in fact not. Since the rex operates on the _raw field, they will look different in the search results. However, that change is not permanent.

your search for events 
| fields + _raw 
| rex field=_raw mode=sed "s/(\w+\.exe=\d{4,})/m_\1/g" 
| kv kvdelim="="

First you clear all the fields except _raw, then do the rex renaming, then extract the fields.

Hope this helps,

K

View solution in original post

kristian_kolb
Ultra Champion

The easiest solution is probably to rewrite the events with SEDCMD in props.conf on your indexer (or Heavy Forwarder);

[your sourcetype]
SEDCMD-blah = s/(\w+\.exe=\d{4,})/m_\1/g

As you can see, there are some assumptions here;
1) that all the stuff you want to rename ends in .exe
2) that they have at least a 4-digit value (i.e. greater than 1000)
3) that the binaries (i.e. field names) can contain only certain characters.

Adjust these things to suit your actual environment. Please note that this will actually change the events before the are written to disk, so if your'e not allowed to tamper with the data, this might not be the way to go.


UPDATE:

Perhaps I should also explain what to do instead 🙂

It's essentially the same type of regex. While it looks like the events are altered, they are in fact not. Since the rex operates on the _raw field, they will look different in the search results. However, that change is not permanent.

your search for events 
| fields + _raw 
| rex field=_raw mode=sed "s/(\w+\.exe=\d{4,})/m_\1/g" 
| kv kvdelim="="

First you clear all the fields except _raw, then do the rex renaming, then extract the fields.

Hope this helps,

K

Dreads94
Explorer

great! Thank you very much!

0 Karma

kristian_kolb
Ultra Champion

updated with search-time voodoo as well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...