Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex for dynamic string

Dreads94
Explorer
‎12-18-2013 03:15 AM

Hey together,

My input is a dynamic input:

SysH=1.0;MemU=4871;MemF=3173;SwpU=5227;SwpF=10860;PrcC=95; eclipse.exe=0.175, firefox.exe=0.04, Dwm.exe=0.028, javaw.exe=0.025, Explorer.EXE=0.016; eclipse.exe=1611500, firefox.exe=1393504, javaw.exe=1180432, sidebar.exe=741164, PrivacyIconClient.exe=643392;CPUH=0.92;CPULd=0.08;CPUNonIdl=0.11;MemH=1.0;NetDownR=983399, eth7=0, eth6=0, eth11=0, eth0=0;NetUpR=17994, eth7=0, eth6=0, eth11=0, eth0=0;=0, eth10=0, eth12=0, eth15=0, eth9=0, eth14=0;

As you can see, I've got two fields with the same name but different values. What I wanna do is to add an "m_" in front of the name of the bigger one. I guess it's just possible with regex.
In fact, I would not ask you for that if it was a static input.
The programm.exe parts are dynamic. But I really need to find a way to rename one of the fields in every case.

Hope some of you can help me.
Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎12-18-2013 06:46 AM

The easiest solution is probably to rewrite the events with SEDCMD in props.conf on your indexer (or Heavy Forwarder);

[your sourcetype]
SEDCMD-blah = s/(\w+\.exe=\d{4,})/m_\1/g

As you can see, there are some assumptions here;
1) that all the stuff you want to rename ends in .exe
2) that they have at least a 4-digit value (i.e. greater than 1000)
3) that the binaries (i.e. field names) can contain only certain characters.

Adjust these things to suit your actual environment. Please note that this will actually change the events before the are written to disk, so if your'e not allowed to tamper with the data, this might not be the way to go.

UPDATE:

Perhaps I should also explain what to do instead 🙂

It's essentially the same type of regex. While it looks like the events are altered, they are in fact not. Since the rex operates on the _raw field, they will look different in the search results. However, that change is not permanent.

your search for events 
| fields + _raw 
| rex field=_raw mode=sed "s/(\w+\.exe=\d{4,})/m_\1/g" 
| kv kvdelim="="

First you clear all the fields except _raw, then do the rex renaming, then extract the fields.

Hope this helps,

K

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎12-18-2013 06:46 AM

The easiest solution is probably to rewrite the events with SEDCMD in props.conf on your indexer (or Heavy Forwarder);

[your sourcetype]
SEDCMD-blah = s/(\w+\.exe=\d{4,})/m_\1/g

As you can see, there are some assumptions here;
1) that all the stuff you want to rename ends in .exe
2) that they have at least a 4-digit value (i.e. greater than 1000)
3) that the binaries (i.e. field names) can contain only certain characters.

Adjust these things to suit your actual environment. Please note that this will actually change the events before the are written to disk, so if your'e not allowed to tamper with the data, this might not be the way to go.

UPDATE:

Perhaps I should also explain what to do instead 🙂

It's essentially the same type of regex. While it looks like the events are altered, they are in fact not. Since the rex operates on the _raw field, they will look different in the search results. However, that change is not permanent.

your search for events 
| fields + _raw 
| rex field=_raw mode=sed "s/(\w+\.exe=\d{4,})/m_\1/g" 
| kv kvdelim="="

First you clear all the fields except _raw, then do the rex renaming, then extract the fields.

Hope this helps,

K

Reply
Solved! Jump to solution

Dreads94
Explorer
‎12-19-2013 01:09 AM

great! Thank you very much!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎12-18-2013 07:22 AM

updated with search-time voodoo as well.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...