Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Rex and sed usage

manuarora
Explorer
‎07-29-2010 08:52 AM

I want to convert below output to more meaningful

L2cache0 size 0 cd0 audio_supported yes cd0 cdda_supported yes cd0 data_verify enable cd0 prevent_eject yes en0 alias4 en0 alias6 en0 arp on en0 authority en0 broadcast en0 mtu 1500 en0 netaddr 157.191.125.12 en0

This is for host1 and similarly for all other hosts. To something like:-

Hosts    Devicename    Attribute             Value
host1    L2cache0      size                  0
host1    cd0           audio_supported       yes
host1    cd0           data_verify           enable

and so on....

Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-21-2010 02:18 AM

This is certainly a little tricky but is definitely doable. Below is a search sample. Assume that you have a field called "metrics" with the above data.

...
| rex field=metrics "(?<metric_triple>\w+ \w+ \w+)" max_match=100
| fields - metrics
| mvexpand metric_triple
| rex field=metric_triple "(?<Devicename>\w+) (?<Attribute>\w+) (?<Value>\w+)"
| fields - metric_triple

The next lines pull out triples of strings, we expand each event into one per triple and finally pull out the three fields for each metric.

Interested readers can simulate this data with the lines:

| stats count as host
| eval host = "foo"
| eval metrics = "L2cache0 size 0 cd0 audio_supported yes cd0 cdda_supported yes cd0 data_verify enable cd0 prevent_eject yes en0 alias4 en0 alias6 en0 arp on en0 authority en0 broadcast en0 mtu 1500 en0 netaddr 157.191.125.12 en0"
Reply

zscgeek
Path Finder
‎07-30-2010 01:52 PM

Manuarora:

It's not clear to me from your post what the exact sed command is that you what but here is an example of using the SEDCMD to clean up stuff that you should be able to modify to your own needs:

Assuming you have a source type of voxeo_hosted_file you would do something like this:

props.conf: 

[voxeo_hosted_file]
# Each of these SED commands is executed on the input stream 
SEDCMD-encode = s/Zyzzyva/SuperHostName/g s/\./ /g s/\//_/g

Original log line:

CXV0083919952/Zyzzyva/2010.06.20.15.22.42.536/OS/UserName/0eb59c29b4a2ba03=rj

Modified Log message after sed processing:

CXV0083919952_SuperHostName_2010 06 20 15 22 42 536_OS_UserName_0eb59c29b4a2ba03=rj

Hopefully this helps.

0 Karma
Reply

manuarora
Explorer
‎08-02-2010 01:08 PM

Thanks for post, but actually post above is not showing the ouput in desired it is truncating empty lines, I want output in below header format

Hosts Devicename Attribute Value

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎07-29-2010 06:14 PM

You might want to re-edit and use the formatting and preview box (below the edit windows) to see how your post will look to others and to format it to make it look how you want. It's hard to see what you have and what you want to format in its current form.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...