Splunk Search

Regex for dynamic string

Explorer

Hey together,

My input is a dynamic input:

SysH=1.0;MemU=4871;MemF=3173;SwpU=5227;SwpF=10860;PrcC=95; eclipse.exe=0.175, firefox.exe=0.04, Dwm.exe=0.028, javaw.exe=0.025, Explorer.EXE=0.016; eclipse.exe=1611500, firefox.exe=1393504, javaw.exe=1180432, sidebar.exe=741164, PrivacyIconClient.exe=643392;CPUH=0.92;CPULd=0.08;CPUNonIdl=0.11;MemH=1.0;NetDownR=983399, eth7=0, eth6=0, eth11=0, eth0=0;NetUpR=17994, eth7=0, eth6=0, eth11=0, eth0=0;=0, eth10=0, eth12=0, eth15=0, eth9=0, eth14=0;

As you can see, I've got two fields with the same name but different values. What I wanna do is to add an "m_" in front of the name of the bigger one. I guess it's just possible with regex.
In fact, I would not ask you for that if it was a static input.
The programm.exe parts are dynamic. But I really need to find a way to rename one of the fields in every case.

Hope some of you can help me.
Thanks!

0 Karma
1 Solution

Ultra Champion

The easiest solution is probably to rewrite the events with SEDCMD in props.conf on your indexer (or Heavy Forwarder);

[your sourcetype]
SEDCMD-blah = s/(\w+\.exe=\d{4,})/m_\1/g

As you can see, there are some assumptions here;
1) that all the stuff you want to rename ends in .exe
2) that they have at least a 4-digit value (i.e. greater than 1000)
3) that the binaries (i.e. field names) can contain only certain characters.

Adjust these things to suit your actual environment. Please note that this will actually change the events before the are written to disk, so if your'e not allowed to tamper with the data, this might not be the way to go.


UPDATE:

Perhaps I should also explain what to do instead 🙂

It's essentially the same type of regex. While it looks like the events are altered, they are in fact not. Since the rex operates on the _raw field, they will look different in the search results. However, that change is not permanent.

your search for events 
| fields + _raw 
| rex field=_raw mode=sed "s/(\w+\.exe=\d{4,})/m_\1/g" 
| kv kvdelim="="

First you clear all the fields except _raw, then do the rex renaming, then extract the fields.

Hope this helps,

K

View solution in original post

Ultra Champion

The easiest solution is probably to rewrite the events with SEDCMD in props.conf on your indexer (or Heavy Forwarder);

[your sourcetype]
SEDCMD-blah = s/(\w+\.exe=\d{4,})/m_\1/g

As you can see, there are some assumptions here;
1) that all the stuff you want to rename ends in .exe
2) that they have at least a 4-digit value (i.e. greater than 1000)
3) that the binaries (i.e. field names) can contain only certain characters.

Adjust these things to suit your actual environment. Please note that this will actually change the events before the are written to disk, so if your'e not allowed to tamper with the data, this might not be the way to go.


UPDATE:

Perhaps I should also explain what to do instead 🙂

It's essentially the same type of regex. While it looks like the events are altered, they are in fact not. Since the rex operates on the _raw field, they will look different in the search results. However, that change is not permanent.

your search for events 
| fields + _raw 
| rex field=_raw mode=sed "s/(\w+\.exe=\d{4,})/m_\1/g" 
| kv kvdelim="="

First you clear all the fields except _raw, then do the rex renaming, then extract the fields.

Hope this helps,

K

View solution in original post

Explorer

great! Thank you very much!

0 Karma

Ultra Champion

updated with search-time voodoo as well.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!