Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- rex 4 fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rex 4 fields
Hi
How can extract these fields:
field1=Version
field2=Author
field3=Date
field4=IssueNo
Here is the log:
23:53:00.512 app module: Abc , Ver:21.2 , 21/10/10 By: J_Danob customer
03:10:15.394 app module: cust_Pack.C, Ver:2.4, Last Updated:21/02/06, by:Jefri.Poor
22:21:51.398 app module: My Properties : Ver. 2.0, Last Updated: 20/03/02, By: Alex J Parson
04:11:26.184 app module: api.C, Ver.:6.0 , Last Updated: 21/11/05, By: J_Danob IssueNo: 12345
04:05:01.488 app module: AjaxSec.C , Ver: 2, 21/07/08 By:J_Danob app
12:27:24.259 app module: L: FORWARD 10 VER 6.1.0 [2021-05-04] [app] Ticket_Again BY Jack Danob
04:11:27.643 app module: [0]L: FORWARD 10 VER 6.2.7 [2021-08-17] [CUST] [ISSUENO:98765] [BY J_Danob] [Edit]
23:53:00.512 app module: Container Version 2.0.0 Added By Jack Danob Date 2021-01-01
23:53:00.512 app module: [0]L: ForwarderSB Version 3 By Danob 21/1/31 check all
04:11:26.186 app module: ApiGateway: Version[2.2.0] [21-09-26] [IssueNo:12345] [BY Jefri.Poor] [Solving]
expected output:
Version Date Author IssueNo
21.2 21/10/10 J_Danob
2.4 21/02/06 Jefri.Poor
2.0 20/03/02 Alex J Parson
6.0 21/11/05 J_Danob 12345
2 21/07/08 J_Danob
6.1.0 2021-05-04 Jack Danob
6.2.7 2021-08-17 J_Danob 98765
2.0.0 2021-01-01 Jack Danob
3 21/1/31 Danob
2.2.0 21-09-26 Jefri.Poor 12345
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's probably easier to do that with separate rex commands.
... | rex "V[eE][rR](?:sion)?[\.:\[]?\s*(?<Version>[\d\.]+)"
| rex "(?<Date>\d+[-\/]\d+[-\/]\d+)"
| rex "[bB][yY]:?\s*(?<Author>\S+)"
| rex "I[sS][sS][uU][eE]N[oO]:\s*(?<IssueNo>\d+)"Shame on the developer for such inconsistent logging.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much, it work, it has some issue that i will fix them.
as you mention there are lots of dev guys who not obey principle and follow standard.
another issue after extract is this:
13:00:00:000 6.2 21/11/05 J_Danob 12345
13:00:00:000 6.1 21/11/05 J_Danob 12345
13:00:00:000 6.0 21/11/05 J_Danob 12345
in same timestamp print history of revisioning, need to extract last version. e.g in above is 6.2.
do have any idea about this?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't understand what the new issue is.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I forgot put timestamp, modify last comment.
is it clear now?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand you want to keep the most recent version for each author. The dedup command will do that.
... | dedup Authorwill retain the last version for each author and discard other events. You can use more than one field, if need be:
... | dedup Author IssueNo
If this reply helps you, Karma would be appreciated.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
New Release | Splunk Cloud Platform 10.1.2507
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
