Splunk Search

extract a string from source and table the list for the associated hosts.

sarnagar
Contributor

I have many sources/logfiles in a host like this:

/opt/ab/logs/abcd/apache/abcd-tcm.log
/opt/xy/logs/xyzz/apache/xyzz-tcm.log
/opt/pq/logs/xyzz/apache/pqrs-tcm.log

Im interested in extracting the third string of the log and I tried it via the below command to MyFieldName.
rex field=source "(\/opt\/.\/logs\/(?.)\/apache\/.)"

Now I want to table out these MyFieldName for a list of hosts. How can I achieve this?
ie. Host A might have MyFieldName 4 values.

Host B misht MyFieldName 3 values.

These MyFieldName can be common amongst the hosts.

Im not able to get this ont-to-many (server-to-MyFieldName values) Table.

When I try to dedup host OR MyFieldName with belwo search , it truncates the results.

index="capgm" sourcetype=tc host=* | rex field=source "(\/opt\/.\/logs\/(?.)\/apache\/.)" | where MyFieldName like "%%" | rename MyFieldName AS NewField, host AS SERVER | table NewField, SERVER | dedup NewField

I want something like this

HOST MyFieldName

A xyzz
abcd

B xyzz
pqrs

C xyzz
abcd
pqrs

Tags (2)
0 Karma
1 Solution

horsefez
Motivator

Hi,

are you aware that your regular expression doesn't really extract a field?

This one should do the trick.

| rex field=source "\/opt\/[^\/]+?\/logs\/(?<myfield>[^\/]+?)\/"

An then do

| stats values(myfieldname) by host

View solution in original post

0 Karma

horsefez
Motivator

Hi,

are you aware that your regular expression doesn't really extract a field?

This one should do the trick.

| rex field=source "\/opt\/[^\/]+?\/logs\/(?<myfield>[^\/]+?)\/"

An then do

| stats values(myfieldname) by host
0 Karma

sarnagar
Contributor

HI @pyro_wood ,

Thankyou for the help..

My logfile sometimes contains like this

/opt/pq/logs/xyzz.backup1213/apache/pqrs-tcm.log

How can I modify the expression to extrat only xyzz without the the word that follow '.' operator? like in above example

0 Karma

horsefez
Motivator

Hi @samagar

like this \/opt\/[^\/]+?\/logs\/(?<myfield>\w+?)(?:\/|\.)

0 Karma

peterchenadded
Path Finder

Little bit hard to understand, but seems like you want to use the stats values function e.g.

... | stats values(myfieldname) by host

Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...