Splunk Search

Rex and sed usage

Explorer

I want to convert below output to more meaningful

L2cache0 size 0 cd0 audio_supported yes cd0 cdda_supported yes cd0 data_verify enable cd0 prevent_eject yes en0 alias4 en0 alias6 en0 arp on en0 authority en0 broadcast en0 mtu 1500 en0 netaddr 157.191.125.12 en0 

This is for host1 and similarly for all other hosts. To something like:-

Hosts    Devicename    Attribute             Value
host1    L2cache0      size                  0
host1    cd0           audio_supported       yes
host1    cd0           data_verify           enable

and so on....

Splunk Employee
Splunk Employee

This is certainly a little tricky but is definitely doable. Below is a search sample. Assume that you have a field called "metrics" with the above data.

...
| rex field=metrics "(?<metric_triple>\w+ \w+ \w+)" max_match=100
| fields - metrics
| mvexpand metric_triple
| rex field=metric_triple "(?<Devicename>\w+) (?<Attribute>\w+) (?<Value>\w+)"
| fields - metric_triple

The next lines pull out triples of strings, we expand each event into one per triple and finally pull out the three fields for each metric.

Interested readers can simulate this data with the lines:

| stats count as host
| eval host = "foo"
| eval metrics = "L2cache0 size 0 cd0 audio_supported yes cd0 cdda_supported yes cd0 data_verify enable cd0 prevent_eject yes en0 alias4 en0 alias6 en0 arp on en0 authority en0 broadcast en0 mtu 1500 en0 netaddr 157.191.125.12 en0"

Path Finder

Manuarora:

It's not clear to me from your post what the exact sed command is that you what but here is an example of using the SEDCMD to clean up stuff that you should be able to modify to your own needs:

Assuming you have a source type of voxeo_hosted_file you would do something like this:

props.conf:

[voxeo_hosted_file]
# Each of these SED commands is executed on the input stream 
SEDCMD-encode = s/Zyzzyva/SuperHostName/g s/\./ /g s/\//_/g

Original log line:

CXV0083919952/Zyzzyva/2010.06.20.15.22.42.536/OS/UserName/0eb59c29b4a2ba03=rj

Modified Log message after sed processing:

CXV0083919952_SuperHostName_2010 06 20 15 22 42 536_OS_UserName_0eb59c29b4a2ba03=rj

Hopefully this helps.

0 Karma

Explorer

Thanks for post, but actually post above is not showing the ouput in desired it is truncating empty lines, I want output in below header format

Hosts Devicename Attribute Value

0 Karma

Splunk Employee
Splunk Employee

You might want to re-edit and use the formatting and preview box (below the edit windows) to see how your post will look to others and to format it to make it look how you want. It's hard to see what you have and what you want to format in its current form.

0 Karma