Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Require help with rex query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have the below type of logs:
log1: Mon Feb 8 02:57:36 EST 2021 41% /logs
log2: Mon Feb 8 02:57:36 EST 2021 73% /opt
log3: Mon Feb 8 02:57:36 EST 2021 69% /var
log4: Mon Feb 8 02:57:36 EST 2021 48% /apps
I want to create a table as below:
File_System Disk_Usage
\logs 41
\opt 73
\var 69
\apps 48
Here I want to extract the "Disk_Usage" and "File_System" fields with the respective values. This might be a very silly question but I might be missing out something while creating the rex command. So please help me create the rex command. you kind support will be highly appreciated.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @Mrig342,
Try this,
| makeresults
| eval _raw=" _raw
Mon Feb 8 02:57:36 EST 2021 41% /logs
Mon Feb 8 02:57:36 EST 2021 73% /opt
Mon Feb 8 02:57:36 EST 2021 69% /var
Mon Feb 8 02:57:36 EST 2021 48% /apps"
| multikv forceheader=1
| rex "\s(?<Disk_Usage>\d+)\%\s\/(?<File_System>\w+)"
| table File_System, Disk_Usage
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @Mrig342,
Try this,
| makeresults
| eval _raw=" _raw
Mon Feb 8 02:57:36 EST 2021 41% /logs
Mon Feb 8 02:57:36 EST 2021 73% /opt
Mon Feb 8 02:57:36 EST 2021 69% /var
Mon Feb 8 02:57:36 EST 2021 48% /apps"
| multikv forceheader=1
| rex "\s(?<Disk_Usage>\d+)\%\s\/(?<File_System>\w+)"
| table File_System, Disk_Usage
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much @manjunathmeti.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
