A is running
b is running
each events contain such kind of bunch of data. i want to create 2 fields capturing (A,B,C) in row and other capturing the corresponding status(running) in row.
please provide me needful help
thanks in advance
didn't work......:(
I think rex pattern is causing problem.
My data is like
'aaaa bbbb cccc dddd' (1234) is running.
'akdg ytdf tyui tyhj' (1245) is running.
so output should be in two different field
aaaa bbbb cccc dddd running
.
.
.
.
See if you see the right values in the right panel in this site
your search | rex field=_raw "(?<first>\w)\sis\s(?<status>\w+)" | table first status
first column will have only one letter (a or b or .. ) or it can have a few letters (host1, etc )
status will have only "running" or what other values it can have (running, not running, failed, etc..)
there is no value under the table first status i.e not able to see any output
the "status" is the variable i am using the extract the word "running".
so under the field name "status" running value should be populated but the table is blank. just one row is there having name which is captured under <>.
i uploaded these sample events -
A is running
b is running
c is running
A is running
b is failed
c is running
i ran this query -
sourcetype=runningrex | rex field=_raw "(?<first>\w)\sis\s(?<status>\w+)" | table first status _raw
and i get this result -
first status _raw
c running c is running
b failed b is failed
A running A is running
c running c is running
b running b is running
A running A is running
Try this
your search | rex field=_raw "(?<first>\w+)\sis\s(?<status>\w+)" | table first status
none of the solution give the desire output. all output are blank.
Splunk version 6.2.5 i am using, could this cause any problem