Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Split unix commands

dwibedi03
Explorer
‎08-06-2020 12:03 PM

There is a command fields in my logs and consists of unix commands.

One value is 

/usr/bin/ssh -q -o ConnectTimeout=5 -o BatchMode=yes zevsbdr66599.prodb.cally.org netstat -rn

I am looking to extract netstat -rn. 

Can someone provide me a way to split ?

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 12:44 PM

May be because of double quotes using in rex. Remove and input them from your keyboard. 

107B04E0-D2A4-4346-B7D0-4CA369641F71.png

————————————
If this helps, give a like below.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mfasciano_splun
Splunk Employee
Splunk Employee
‎08-06-2020 12:43 PM

Are you looking to extract the field in a query through spl or are you trying to do a field extraction on ingest of the log data?

For the first you would add a field extraction in your props.conf file.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Exampleconfigurationswithprops.conf

For the second you would use the rex command as suggested.  

https://docs.splunk.com/Documentation/SCS/current/SearchReference/RexCommandExamples

The regex you would use depends on how consistant your logs are and if you could define a regex to match all of the logs you are concerned with.  Here is an example of what might work if all of your logs had the command at the end of the line:

| rex field=_raw “(?<command>[\w]+\s[-\w]*)$”

The above regex is not perfect.  You'll have to account for a command with and without arguments.  The above regex isn't perfect if your command doesn't have -xyz arguments.  

Reply
Solved! Jump to solution

dwibedi03
Explorer
‎08-06-2020 12:45 PM

Thanks for your reply. I will check it out.

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 12:18 PM

I am assuming all your commands at end of line.

 

| rex “(?<command>[\w]+\s[-\w]+)$”

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

dwibedi03
Explorer
‎08-06-2020 12:22 PM

@thambisetty  tried your solution. It throws error.

0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 12:44 PM

May be because of double quotes using in rex. Remove and input them from your keyboard. 

107B04E0-D2A4-4346-B7D0-4CA369641F71.png

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

dwibedi03
Explorer
‎08-06-2020 12:46 PM

Yes, i got to make it work. However it is not accounting for all the commands. I will  improvise. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top