Solved: extract value with matching multiple fields

bharathk5678 · ‎02-09-2017

If i have events like below,

domain=abc, sever=abc_s1,status=running
domain=abc, server=abc_s2,status=shutdown
domain=xyz, sever=xyz_s1,status=running
domain=xyz, server=xyz_s2,status=shutdown

I want to create a table like below with new fields instance1 and instance2, where instance1 should have the value of status for ($domain)_s1 . and instance2 should have the value of status for $domain_s2

can be this achievable?

domain            instance1    instance2
abc               running      shutdown
xyz               running      shutdown

somesoni2 · ‎02-09-2017

Give this a try

your current search giving fields domain, server, status
| eval instance="instance".replace(server,"(.+)(\d)$","\2")
| chart values(status) over domain by instance

View solution in original post

DalJeanis · ‎02-09-2017

This inserts your sample data

|makeresults 
| eval mydata=mvappend("domain=abc, server=abc_s1,status=running",
"domain=abc, server=abc_s2,status=shutdown",
"domain=xyz, server=xyz_s1,status=running",
"domain=xyz, server=xyz_s2,status=shutdown")
| mvexpand mydata

This turns it into the requested chart-

| rex field=mydata "domain=(?<mydomain>[^,]*),\s*server=(?<myserver>[^_]*_(?<myinstance>[^,]+)),\s*status=(?<mystatus>.*)"
| chart first(mystatus) as status over mydomain by myinstance

With the results looking like this -

mydomain  s1        s2        
abc       running   shutdown  
xyz       running   shutdown

I've assumed that your server names are constructed by domain name, an underscore, and the instance name.

somesoni2 · ‎02-09-2017

Give this a try

your current search giving fields domain, server, status
| eval instance="instance".replace(server,"(.+)(\d)$","\2")
| chart values(status) over domain by instance

bharathk5678 · ‎02-09-2017

got partial results.

I am getting the output in like below format. but it's not showing two different columns with instance1 and instance2

domain NULL
abc running
xyz running

DalJeanis · ‎02-09-2017

also, is it "server" or "sever"?

somesoni2 · ‎02-09-2017

This works fine based on your sample data (see this run anywhere sample). It seems the format of server is different causing the replace function to fail and return NULL. Could you provide some real sample values of the field server? Do they end with a number like in question?

| gentimes start=-1 | eval temp="abc,abc_s1,running abc,abc_s2,down xyz,xyz_s1,running xyz,xyz_s2,running" | table temp | makemv temp | mvexpand temp | rex field=temp "(?<domain>.+),(?<server>.+),(?<status>.+)" | fields - temp | eval instance="instance".replace(server,"(.+)(\d)$","\2") | chart values(status) over domain by instance

bharathk5678 · ‎02-09-2017

sry given wrong field name. now it's worked perfectly as expected.

worked query:
your current search giving fields domain, server, status
| eval instance="instance".replace(server,"(.+)(\d)$","\2")
| chart values(status) over domain by instance

Thank you

extract value with matching multiple fields

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?