Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regular expression removal of identical placement values?

TheHardHattedGe
Explorer
‎06-27-2016 01:03 PM

Let's say I have a service that spits out information such as the following:

localhost;PING;PING OK - Packet loss = 0%, RTA = 0.05 ms;0
localhost;Root Partition;DISK OK - free space: / 46098 MB (90% inode=99%):;0
sv13docker;PING;PING OK - Packet loss = 0%, RTA = 0.90 ms;0
sv13jira;PING;PING OK - Packet loss = 0%, RTA = 0.84 ms;0
sv24d;PING;PING OK - Packet loss = 0%, RTA = 0.56 ms;0
sv24d;Rsyslog;PROCS OK: 1 process with command name 'rsyslogd';0

Each value leading up to the semicolon is its own respective field (which does not need to be defined by Splunk as individual fields). As follows, the fields of the information are host_name;service;body;liveservicestatus. My need is to be able to move the body results that have the same host_name to the same row. I cannot use methods such as transpose to do this as this search command will be utilized on something that will output more events than the transpose can handle. Any guidance is appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maciep
Champion
‎06-27-2016 06:51 PM

So you just need a row with the host_name and body values? And fields are already extracted?

If so, how about stats values()? That will give you a mulit-value field for the various unique values of body. And you then you can use whatever mv command/function needed to get them looking the way you'd like

... | stats values(body) as body by host_name

View solution in original post

Reply
Solved! Jump to solution
Solution

maciep
Champion
‎06-27-2016 06:51 PM

So you just need a row with the host_name and body values? And fields are already extracted?

If so, how about stats values()? That will give you a mulit-value field for the various unique values of body. And you then you can use whatever mv command/function needed to get them looking the way you'd like

... | stats values(body) as body by host_name
Reply
Solved! Jump to solution

TheHardHattedGe
Explorer
‎06-28-2016 05:33 AM

This appears to be a step in the right direction, as this now puts all the data into the same field as per host. However I need the body data to be split into another field.

0 Karma
Reply
Solved! Jump to solution

TheHardHattedGe
Explorer
‎06-28-2016 05:54 AM

alright looks like this works. This places the values into the same row as per host and from there, however there needs to be a way to separate it. Using strcat I can attach a field that has only ; to the body before I use the command you gave to combine the fields. Using mvcombine, I can put these 2 bits of information together and then 'rex' out the field values. The full code to do this is as follows.

...|eval placement=";"|strcat body placement data|stats values(data) as data by host_name|mvcombine delim=";" data|rex field=data "(?<ping>.*?;)(?<syslog>.*)"

Thanks for helping out with this.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2016 01:35 PM

What would the desired output look like?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

TheHardHattedGe
Explorer
‎06-27-2016 01:50 PM

When its all said and done the output should appear as

localhost;PING OK - Packet loss = 0%, RTA = 0.05 ms;DISK OK - free space: / 46098 MB (90% inode=99%):
sv13docker;PING OK - Packet loss = 0%, RTA = 0.90 ms
sv13jira;PING OK - Packet loss = 0%, RTA = 0.84 ms
sv24d;PING OK - Packet loss = 0%, RTA = 0.56 ms;PROCS OK: 1 process with command name 'rsyslogd'

I know that from there I can separate the data out into neater fields that I can use in tangent to the later searches im planning on combining it with. It doesn't have to be this, I just need the body data from service 1 and service 2 to be in two separate fields and to each respective host

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...