Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- rex usage in splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rex usage in splunk
Hi,
i am trying to create a pie chart with gives %age up and down time of a system.
Splunk mines a log file with the below format giving the system availability stat.
If you see below, we have three status System up, down and down due to db failure.
we want to combine both the downs into single category of "Down"
Were using the below query in splunk to get the pie chart but the Down comes up in two different segment.
index=prd sourcetype="nodecheck" | rex "System (?
2014-03-17 15:53:00-SystemA System Up
2014-03-17 15:48:01-SystemA System Up
2014-03-17 15:43:00-SystemA System Up
2014-03-17 15:38:00-SystemA System Up
2014-03-17 15:33:00-SystemA System Up
2014-03-17 15:01:01-SystemA System Down
2014-03-17 15:31:00-SystemA System Down - Unable to connect to the Database!
2014-03-17 15:21:01-SystemA System Down - Unable to connect to the Database!
2014-03-17 15:11:01-SystemA System Down - Unable to connect to the Database!
2014-03-17 15:01:01-SystemA System Down - Unable to connect to the Database!
2014-03-17 14:48:00-SystemA System Up
2014-03-17 14:43:00-SystemA System Up
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this search code
index=prd sourcetype="nodecheck"|rex field=_raw "System\s+(?<SystemStatus>[^\$|^\!]+)"|chart count by SystemStatus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=prd sourcetype="nodecheck" | rex "System\s(?<upordown>\w+)" | chart count by upordown
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rex "System (?<upordown>) .*"
This should provide you with just the single word following "System"
To be even more flexible you could change it to
rex "System\s(?<upordown>)\s.*"
This will ensure the word breaks happen for any whitespace character not just a space itself.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
