Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

field extraction from source log path

ravir_jbp
Explorer
‎09-25-2023 07:44 AM

 

how to extract the node name from the different GC source location:

I have below sample three source location and I am looking for rex that can extract node name as "node02, Node03 and "web39". My rex command is not working.

source= E:\total\int\ts1\Ddoss\node\node02\data\gc.log
source=E:\total\int\ts1\Ddoss\swxx\node03\data\gc.log
source=E:\total\int\ts1\Ddoss\web\web39\data\gc.log

Labels (1)
Labels
Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-19-2023 09:11 AM

I would be cautious to anchor regex as closely as the data is regular.  Something like

 

| rex field=source "\\\t4\\\(apch\\\node|logs)\\\(?<node>[^-\\\\]+)"

 

This should give

nodesource
node06E:\view\int\t4\apch\node\node06\log\server.log
node06E:\view\int\t4\apch\node\node06\log\run.log
node03E:\view\int\t4\apch\node\node03\log\server.log
node01E:\view\int\t4\apch\node\node01\log\server.log
node01E:\view\int\t4\apch\node\node01\log\run.log
core02E:\view\int\t4\logs\core02-core.log
web37E:\view\int\t4\logs\web37-wfmws.log
core01E:\view\int\t4\logs\core01-core.log

You can play with the emulation @ITWhisperer offered and compare with real data.

 

| makeresults format=csv data="source
E:\view\int\t4\apch\node\node06\log\server.log
E:\view\int\t4\apch\node\node06\log\run.log
E:\view\int\t4\apch\node\node03\log\server.log
E:\view\int\t4\apch\node\node01\log\server.log
E:\view\int\t4\apch\node\node01\log\run.log
E:\view\int\t4\logs\core02-core.log
E:\view\int\t4\logs\web37-wfmws.log
E:\view\int\t4\logs\core01-core.log"
``` data emulation above ```

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-25-2023 07:50 AM 
| rex field=source "^([^\\\\]+\\\\){6}(?<node>[^\\\\]+)"
0 Karma
Reply

ravir_jbp
Explorer
‎10-19-2023 07:37 AM

@ITWhisperer 

I tried using above rex for these log source but not working:

For below 5 different log source I like to extract node number like node06, node03, node01

E:\view\int\t4\apch\node\node06\log\server.log
E:\view\int\t4\apch\node\node06\log\run.log
E:\view\int\t4\apch\node\node03\log\server.log
E:\view\int\t4\apch\node\node01\log\server.log
E:\view\int\t4\apch\node\node01\log\run.log

For below 3 log source I like to extract as core02, web37, core01


E:\view\int\t4\logs\core02-core.log
E:\view\int\t4\logs\web37-wfmws.log
E:\view\int\t4\logs\core01-core.log

 

Since both log format is different above solution you shared is not working. Please help

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 08:05 AM

Here is a runanywhere example showing it working

| makeresults format=csv data="source
E:\view\int\t4\apch\node\node06\log\server.log
E:\view\int\t4\apch\node\node06\log\run.log
E:\view\int\t4\apch\node\node03\log\server.log
E:\view\int\t4\apch\node\node01\log\server.log
E:\view\int\t4\apch\node\node01\log\run.log
E:\view\int\t4\logs\core02-core.log
E:\view\int\t4\logs\web37-wfmws.log
E:\view\int\t4\logs\core01-core.log"
| rex field=source "^([^\\\\]+\\\\){5}(?<node>[^-]+)"
| rex field=source "^([^\\\\]+\\\\){6}(?<node>[^\\\\]+)"

Note if these different formats for source are used in the same search then the order is significant, otherwise just use the relevant rex pertaining to the source name format

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Splunk ITSI & Correlated Network Visibility

  Now On Demand   Take Your Network Visibility to the Next Level In today’s complex IT environments, ...

Community Content Calendar, August edition

In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
Top