Splunk Search

Split unix commands

dwibedi03
Explorer

There is a command fields in my logs and consists of unix commands.

One value is 

/usr/bin/ssh -q -o ConnectTimeout=5 -o BatchMode=yes zevsbdr66599.prodb.cally.org netstat -rn

I am looking to extract netstat -rn. 

Can someone provide me a way to split ?

 

Labels (2)
0 Karma
1 Solution

thambisetty
Super Champion

May be because of double quotes using in rex. Remove and input them from your keyboard. 

107B04E0-D2A4-4346-B7D0-4CA369641F71.png

————————————
If this helps, give a like below.

View solution in original post

0 Karma

mfasciano_splun
Splunk Employee
Splunk Employee

Are you looking to extract the field in a query through spl or are you trying to do a field extraction on ingest of the log data?

For the first you would add a field extraction in your props.conf file.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Exampleconfigurationswithprops.conf

For the second you would use the rex command as suggested.  

https://docs.splunk.com/Documentation/SCS/current/SearchReference/RexCommandExamples

The regex you would use depends on how consistant your logs are and if you could define a regex to match all of the logs you are concerned with.  Here is an example of what might work if all of your logs had the command at the end of the line:

| rex field=_raw “(?<command>[\w]+\s[-\w]*)$”

The above regex is not perfect.  You'll have to account for a command with and without arguments.  The above regex isn't perfect if your command doesn't have -xyz arguments.  

dwibedi03
Explorer

Thanks for your reply. I will check it out.

0 Karma

thambisetty
Super Champion

I am assuming all your commands at end of line.

 

| rex “(?<command>[\w]+\s[-\w]+)$”

————————————
If this helps, give a like below.

dwibedi03
Explorer

@thambisetty  tried your solution. It throws error.

0 Karma

thambisetty
Super Champion

May be because of double quotes using in rex. Remove and input them from your keyboard. 

107B04E0-D2A4-4346-B7D0-4CA369641F71.png

————————————
If this helps, give a like below.
0 Karma

dwibedi03
Explorer

Yes, i got to make it work. However it is not accounting for all the commands. I will  improvise. Thanks.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>