Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Split unix commands

dwibedi03
Explorer
‎08-06-2020 12:03 PM

There is a command fields in my logs and consists of unix commands.

One value is 

/usr/bin/ssh -q -o ConnectTimeout=5 -o BatchMode=yes zevsbdr66599.prodb.cally.org netstat -rn

I am looking to extract netstat -rn. 

Can someone provide me a way to split ?

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 12:44 PM

May be because of double quotes using in rex. Remove and input them from your keyboard. 

107B04E0-D2A4-4346-B7D0-4CA369641F71.png

————————————
If this helps, give a like below.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mfasciano_splun
Splunk Employee
Splunk Employee
‎08-06-2020 12:43 PM

Are you looking to extract the field in a query through spl or are you trying to do a field extraction on ingest of the log data?

For the first you would add a field extraction in your props.conf file.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Exampleconfigurationswithprops.conf

For the second you would use the rex command as suggested.  

https://docs.splunk.com/Documentation/SCS/current/SearchReference/RexCommandExamples

The regex you would use depends on how consistant your logs are and if you could define a regex to match all of the logs you are concerned with.  Here is an example of what might work if all of your logs had the command at the end of the line:

| rex field=_raw “(?<command>[\w]+\s[-\w]*)$”

The above regex is not perfect.  You'll have to account for a command with and without arguments.  The above regex isn't perfect if your command doesn't have -xyz arguments.  

Reply
Solved! Jump to solution

dwibedi03
Explorer
‎08-06-2020 12:45 PM

Thanks for your reply. I will check it out.

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 12:18 PM

I am assuming all your commands at end of line.

 

| rex “(?<command>[\w]+\s[-\w]+)$”

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

dwibedi03
Explorer
‎08-06-2020 12:22 PM

@thambisetty  tried your solution. It throws error.

0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 12:44 PM

May be because of double quotes using in rex. Remove and input them from your keyboard. 

107B04E0-D2A4-4346-B7D0-4CA369641F71.png

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

dwibedi03
Explorer
‎08-06-2020 12:46 PM

Yes, i got to make it work. However it is not accounting for all the commands. I will  improvise. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...