Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- rex 4 fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rex 4 fields
Hi
How can extract these fields:
field1=Version
field2=Author
field3=Date
field4=IssueNo
Here is the log:
23:53:00.512 app module: Abc , Ver:21.2 , 21/10/10 By: J_Danob customer
03:10:15.394 app module: cust_Pack.C, Ver:2.4, Last Updated:21/02/06, by:Jefri.Poor
22:21:51.398 app module: My Properties : Ver. 2.0, Last Updated: 20/03/02, By: Alex J Parson
04:11:26.184 app module: api.C, Ver.:6.0 , Last Updated: 21/11/05, By: J_Danob IssueNo: 12345
04:05:01.488 app module: AjaxSec.C , Ver: 2, 21/07/08 By:J_Danob app
12:27:24.259 app module: L: FORWARD 10 VER 6.1.0 [2021-05-04] [app] Ticket_Again BY Jack Danob
04:11:27.643 app module: [0]L: FORWARD 10 VER 6.2.7 [2021-08-17] [CUST] [ISSUENO:98765] [BY J_Danob] [Edit]
23:53:00.512 app module: Container Version 2.0.0 Added By Jack Danob Date 2021-01-01
23:53:00.512 app module: [0]L: ForwarderSB Version 3 By Danob 21/1/31 check all
04:11:26.186 app module: ApiGateway: Version[2.2.0] [21-09-26] [IssueNo:12345] [BY Jefri.Poor] [Solving]
expected output:
Version Date Author IssueNo
21.2 21/10/10 J_Danob
2.4 21/02/06 Jefri.Poor
2.0 20/03/02 Alex J Parson
6.0 21/11/05 J_Danob 12345
2 21/07/08 J_Danob
6.1.0 2021-05-04 Jack Danob
6.2.7 2021-08-17 J_Danob 98765
2.0.0 2021-01-01 Jack Danob
3 21/1/31 Danob
2.2.0 21-09-26 Jefri.Poor 12345
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's probably easier to do that with separate rex commands.
... | rex "V[eE][rR](?:sion)?[\.:\[]?\s*(?<Version>[\d\.]+)"
| rex "(?<Date>\d+[-\/]\d+[-\/]\d+)"
| rex "[bB][yY]:?\s*(?<Author>\S+)"
| rex "I[sS][sS][uU][eE]N[oO]:\s*(?<IssueNo>\d+)"Shame on the developer for such inconsistent logging.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much, it work, it has some issue that i will fix them.
as you mention there are lots of dev guys who not obey principle and follow standard.
another issue after extract is this:
13:00:00:000 6.2 21/11/05 J_Danob 12345
13:00:00:000 6.1 21/11/05 J_Danob 12345
13:00:00:000 6.0 21/11/05 J_Danob 12345
in same timestamp print history of revisioning, need to extract last version. e.g in above is 6.2.
do have any idea about this?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't understand what the new issue is.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I forgot put timestamp, modify last comment.
is it clear now?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand you want to keep the most recent version for each author. The dedup command will do that.
... | dedup Authorwill retain the last version for each author and discard other events. You can use more than one field, if need be:
... | dedup Author IssueNo
If this reply helps you, Karma would be appreciated.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
