field extraction

chuck_life09 · ‎04-21-2021

Hi ,

I need help in the below,

There is a description column, which has like

Description

process_1_details : name : msmg cpu:43% memory:4% disk:67%
process_2_details : name : hefe cpu:0% memory:8% disk:56%

I want a search query to extract these name , cpu, memory, disk fields and want this kind of output.

name cpu memory disk

msmg msmg43% msmg4% msmg67%

hefe hefe0% hefe8% hefe56%

want the process name to be attached with all the related details.

gcusello · ‎04-21-2021

Hi @chuck_life09,

you have to extract fields and combine to have the wantes output, something like this:

your_search
| rex "^\w+\s+:\s+name\s+:\s+(?<name>[^ ]+)\s+cpu:(?<cpu>[^ ]+)\s+memory:(?<memory>[^ ]+)\s+disk:(?<disk>.*)"
| eval cpu=name.cpu, memory=name.memory, disk=name.disk
| table name cpu memory disk

you can test the regex at https://regex101.com/r/wGGNn6/1

Ciao.

Giuseppe