Splunk Search

help in eval

marees123
Path Finder

Hi Guys,

Need a help. I have two types of logs.

nwfin1swt2 : 2015 Jul 27 23:01:29 CDT: %SATCTRL-FEX101-2-SATCTRL: FEX-101 Module 1: Cold boot
nwfin2sw1001 26: Jul 27 15:58:36.267: %SYS-CFC7-5-RESTART: System restarted -

i created a query to list these logs in a table format...

*swt* "cold boot" OR "system restarted" | rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)" | eval state=coldboot+restart | table host, state, _time

trying to bring the both results in the column called state with "eval state=coldboot+restart". im not getting in the column state. please help me to sort this out.

host                 state         _time
nwfin1swt2                  2015-07-27 23:01:29
nwfin2sw1001                  2015-07-27 15:58:36.267
Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

Try this

 *swt* "cold boot" OR "system restarted" | rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)" | eval state=coalesce(coldboot,"")+coalesce(restart,"") | table host, state, _time

Since both the fields appear in different events, one will have null value when other is not null. The coalesce command will take the first not null value (so null value for coldboot and restart will be replaced by empty string) and the concatenation would work fine.

View solution in original post

somesoni2
Revered Legend

Try this

 *swt* "cold boot" OR "system restarted" | rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)" | eval state=coalesce(coldboot,"")+coalesce(restart,"") | table host, state, _time

Since both the fields appear in different events, one will have null value when other is not null. The coalesce command will take the first not null value (so null value for coldboot and restart will be replaced by empty string) and the concatenation would work fine.

marees123
Path Finder

thanks a lot. it worked..... 🙂 awesome...

thanks again,

0 Karma

ohlafl
Communicator

What does *swt* "cold boot" OR "system restarted" imply?

Would this method be possible to use with two fields where the regex is replaced by getting data directly from a value?

0 Karma

marees123
Path Finder

yes.. this will give the raw results which contains the words cold boot and system restarted.. like below

nwfin1swt2 : 2015 Jul 27 23:01:29 CDT: %SATCTRL-FEX101-2-SATCTRL: FEX-101 Module 1: Cold boot
nwfin2sw1001 26: Jul 27 15:58:36.267: %SYS-CFC7-5-RESTART: System restarted -

0 Karma

krishnarajapant
Path Finder

Hi,

I believe you have to give space after the field names in eval expression.

swt "cold boot" OR "system restarted" | rex "(?i) Module 1: (?w+s+w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?w+s+w+)" | eval state= coldboot + restart | table host, state, _time

-Krishna Rajapantula.

0 Karma

krishnarajapant
Path Finder

Hi,

I'm not sure why it isnot working for you. I have tested this in my environment. Did you try in your eval expression eval state= field1 + field2? space between field1, + and field2?

-Krishna Rajapantula

0 Karma

marees123
Path Finder

yes krishna... tried the same and used . as well... donno y... still searching....

0 Karma

marees123
Path Finder

Hi Krishna...

thanks... i tried.. but no output 😞

0 Karma

krishnarajapant
Path Finder

Hi,

I believe you have to give space after the field names in eval expression.

swt "cold boot" OR "system restarted" | rex "(?i) Module 1: (?w+s+w+)" | rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?w+s+w+)" | eval state= coldboot + restart | table host, state, _time

-Krishna Rajapantula.

0 Karma

aholzel
Communicator

I assume that you are trying to concatenate the fields "coldboot" and "restart" in the field "state" in that case you need to use a "." and not a "+" to get them both in "state". Now you are trying to count them.

0 Karma

marees123
Path Finder

Hi aholze,

thanks for the reply.

yes. i tried that as well. eval state = coldboot.restart

still its not working.

0 Karma

marees123
Path Finder

i tried state = coldboot." ".restart as well.. no results....

0 Karma

aholzel
Communicator

do you get any data if you try them individually?

.... | table host coldboot restart _time

and just to be sure you could add the "field=_raw" parameter to the rex command:

... | rex field=_raw "YOUR REGEX HERE"
0 Karma

marees123
Path Finder

yes... i'm getting results if i use seperately...concatenation is not working.

0 Karma

aholzel
Communicator

aaaa I think I see it.. in your regex you forgot the slash in front of w+ and s+ so that gives you empty fields.. I tested and this should work:

swt "cold boot" OR "system restarted" 
| rex "(?i) Module 1: (?<coldboot>\w+\s+\w+)" 
| rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)" 
| eval state=coldboot." ".restart 
| table host, state, _time
0 Karma

marees123
Path Finder

Hi Aholzel,

the same script only i used earlier.

eventtype = net swt "cold boot" OR "system restarted"
| rex "(?i) Module 1: (?P\w+\s+\w+)"
| rex "(?i) %SYS-CFC[1-9]-5-RESTART: (?P\w+\s+\w+)"
| eval state=coldboot." ".restart
| table host, state, _time

where did i miss "".. please let me know. thanks.

0 Karma

marees123
Path Finder

if i display coldboot and restart seperately, im getting results.

0 Karma

aholzel
Communicator

I see the slash is then probably only missing here because you didn't put everything in a code sample block.

I did this query to test and then everything is working:

index=* earliest=-10s@s
| eval colddata="nwfin1swt2 : 2015 Jul 27 23:01:29 CDT: %SATCTRL-FEX101-2-SATCTRL: FEX-101 Module 1: Cold boot" 
| eval restartdata="nwfin2sw1001 26: Jul 27 15:58:36.267: %SYS-CFC7-5-RESTART: System restarted -"
| rex field=colddata "(?i) Module 1: (?<coldboot>\w+\s+\w+)"
| rex field=restartdata "(?i) %SYS-CFC[1-9]-5-RESTART: (?<restart>\w+\s+\w+)"
| eval status=coldboot." ".restart
| table coldboot restart status

Can you test if that is also working in your environment I did this in Splunk 6.2.3

marees123
Path Finder

Hi aholzel,

its listing all devices, and all results getting filled with same results. please check the below logs for your reference.

host coldboot restart status
lb01b Cold boot System restarted Cold boot System restarted
lb01b Cold boot System restarted Cold boot System restarted
lb01b Cold boot System restarted Cold boot System restarted

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...