Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: see results of a rex command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have this rex code to extract the string from an event field:
| rex "(?\d{1,2})\s+hours?\s+ago"
| eval process=case(Time<4, "Process Up", true(), "Process down")
this is the event field:
Event
0 minutes ago, vmkid-p4rbdb03.lm.lmig.com, windows 6.3.9600.
1 minute ago, vmpid-h4eip001.lm.lmig.com, windows 6.3.9600.
What i wanted to do is extract the 1st string w/out the minute(s) ago and use an argument to check if this is less than 4, if it is i want to label it "Process up" and if not, it should be "Process down"
my code above is not working as it's marking all servers with less than 4 as Process down. that's why i wanted to see the results for the rex command
can you help me?
thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this run anywhere search:
| makeresults
| eval data="5 minutes ago, vmkid-p4rbdb03.lm.lmig.com, windows 6.3.9600.:1 minute ago, vmpid-h4eip001.lm.lmig.com, windows 6.3.9600."
| makemv data delim=":"
| mvexpand data
| rex field=data "(?<Time>\d{1,2})\s+(minute|hour)s?\s+ago"
| eval process=if(Time<4,"Process Up","Process Down")
On your prod data you should try:
.. | rex field=_raw "(?<Time>\d{1,2})\s+(minute|hour)s?\s+ago"
| eval process=if(Time<4,"Process Up","Process Down")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this run anywhere search:
| makeresults
| eval data="5 minutes ago, vmkid-p4rbdb03.lm.lmig.com, windows 6.3.9600.:1 minute ago, vmpid-h4eip001.lm.lmig.com, windows 6.3.9600."
| makemv data delim=":"
| mvexpand data
| rex field=data "(?<Time>\d{1,2})\s+(minute|hour)s?\s+ago"
| eval process=if(Time<4,"Process Up","Process Down")
On your prod data you should try:
.. | rex field=_raw "(?<Time>\d{1,2})\s+(minute|hour)s?\s+ago"
| eval process=if(Time<4,"Process Up","Process Down")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you so much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is there a way to make the data generic? i have multiple search results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't get you. could you pls elaborate ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
