Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract a string from source and table the list for the associated hosts.

sarnagar
Contributor
‎11-03-2017 04:10 AM

I have many sources/logfiles in a host like this:

/opt/ab/logs/abcd/apache/abcd-tcm.log
/opt/xy/logs/xyzz/apache/xyzz-tcm.log
/opt/pq/logs/xyzz/apache/pqrs-tcm.log

Im interested in extracting the third string of the log and I tried it via the below command to MyFieldName.
rex field=source "(\/opt\/.\/logs\/(?.)\/apache\/.)"

Now I want to table out these MyFieldName for a list of hosts. How can I achieve this?
ie. Host A might have MyFieldName 4 values.

Host B misht MyFieldName 3 values.

These MyFieldName can be common amongst the hosts.

Im not able to get this ont-to-many (server-to-MyFieldName values) Table.

When I try to dedup host OR MyFieldName with belwo search , it truncates the results.

index="capgm" sourcetype=tc host=* | rex field=source "(\/opt\/.\/logs\/(?.)\/apache\/.)" | where MyFieldName like "%%" | rename MyFieldName AS NewField, host AS SERVER | table NewField, SERVER | dedup NewField

I want something like this

HOST MyFieldName

A xyzz
abcd

B xyzz
pqrs

C xyzz
abcd
pqrs

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

horsefez
SplunkTrust
SplunkTrust
‎11-03-2017 05:03 AM

Hi,

are you aware that your regular expression doesn't really extract a field?

This one should do the trick.

| rex field=source "\/opt\/[^\/]+?\/logs\/(?<myfield>[^\/]+?)\/"

An then do 

| stats values(myfieldname) by host

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

horsefez
SplunkTrust
SplunkTrust
‎11-03-2017 05:03 AM

Hi,

are you aware that your regular expression doesn't really extract a field?

This one should do the trick.

| rex field=source "\/opt\/[^\/]+?\/logs\/(?<myfield>[^\/]+?)\/"

An then do 

| stats values(myfieldname) by host
0 Karma
Reply
Solved! Jump to solution

sarnagar
Contributor
‎11-04-2017 01:34 AM

HI @pyro_wood ,

Thankyou for the help..

My logfile sometimes contains like this

/opt/pq/logs/xyzz.backup1213/apache/pqrs-tcm.log

How can I modify the expression to extrat only xyzz without the the word that follow '.' operator? like in above example

0 Karma
Reply
Solved! Jump to solution

horsefez
SplunkTrust
SplunkTrust
‎11-04-2017 05:20 AM

Hi @samagar

like this \/opt\/[^\/]+?\/logs\/(?<myfield>\w+?)(?:\/|\.)

0 Karma
Reply
Solved! Jump to solution

peterchenadded
Path Finder
‎11-03-2017 04:23 AM

Little bit hard to understand, but seems like you want to use the stats values function e.g.

... | stats values(myfieldname) by host

Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...