cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
tha_ghost99
Path Finder
Member since: ‎11-23-2022
‎12-06-2023
Community Statistics
Posts 18
Solutions 0
Karma Given 5
Karma Received 0
Member Since ‎11-23-2022
Activity Feed
View All

Re: Regex search on multiple lines and displaying ...

by SplunkTrust in Splunk Search
‎11-29-2022 10:09 AM
1 Karma
‎11-29-2022 10:09 AM
1 Karma
You previously stated that you have a field called "core_dump" that only contain the dump data.  To work from _raw, you need to get to that field first. | rex mode=sed "s/.*//" ``` get rid of first line ``` | eval core_dump = mvindex(split(_raw, " "), 0, 1) ``` split two nodes ``` | mvexpand core_dump ``` split events according to node ``` | eval core_dump = mvmap(core_dump, replace(core_dump, "\n(.*: No such file or directory|---*|total files:.*)", "")) ``` remove unwanted lines ``` (I assume that you don't want that total files line, either.) Again, I tested against this emulation. | makeresults | eval _raw = "Oct 11 11:32:45 node0: -------------------------------------------------------------------------- /var/crash/*core*: No such file or directory -rw-rw---- 1 nobody wheel 1251399200 Oct 11 10:29 /var/tmp/C1.core.0.gz -rw-rw---- 1 nobody wheel 1254654282 Oct 11 10:27 /var/tmp/C3.core.0.gz -rw-rw---- 1 nobody wheel 1093812660 Mar 11 2022 /var/tmp/C0.core.0.gz -rw-rw---- 1 nobody wheel 1255530083 Oct 11 10:24 /var/tmp/IC1.core.0.gz -rw-rw---- 1 nobody wheel 184401920 Mar 11 2022 /var/tmp/IC2.core.0.gz -rw-rw---- 1 nobody wheel 1251262474 Mar 1 2022 /var/tmp/IC3.core.0.gz -rw-rw---- 1 nobody wheel 1256350152 Oct 12 10:21 /var/tmp/IC3.core.1.gz /var/tmp/pics/*core*: No such file or directory /var/crash/kernel.*: No such file or directory /var/jails/rest-api/tmp/*core*: No such file or directory /tftpboot/corefiles/*core*: No such file or directory /jail/var/tmp/*core*: No such file or directory total files: 7 node1: -------------------------------------------------------------------------- /var/crash/*core*: No such file or directory -rw-rw---- 1 nobody wheel 34766848 Mar 2 2022 /var/tmp/IC3.core.0.gz -rw-rw---- 1 nobody wheel 1151312299 Mar 1 2022 /var/tmp/IC0.core.0.gz -rw-rw---- 1 nobody wheel 1153074056 Mar 1 2022 /var/tmp/IC1.core.0.gz -rw-rw---- 1 nobody wheel 1158385356 Mar 1 2022 /var/tmp/IC2.core.0.gz -rw-rw---- 1 nobody wheel 1150786252 Mar 1 2022 /var/tmp/IC3.core.0.gz -rw-rw---- 1 root wheel 140366826 Dec 14 2021 /var/tmp/2d.core-tarball.0.tgz -rw-rw---- 1 root wheel 140020614 Feb 12 2022 /var/tmp/b2d.core-tarball.1.tgz /var/tmp/pics/*core*: No such file or directory /var/crash/kernel.*: No such file or directory /var/jails/rest-api/tmp/*core*: No such file or directory /tftpboot/corefiles/*core*: No such file or directory /jail/var/tmp/*core*: No such file or directory total files: 7 {primary:node0}" | fields - _time ``` data emulation above ```   ... View more

Re: How to group fields into a single line inside ...

by SplunkTrust in Splunk Search
‎11-29-2022 09:34 AM
1 Karma
‎11-29-2022 09:34 AM
1 Karma
If you haven't extracted relevant segments into its own field, do it first.  Then manipulate strings. | eval data = mvindex(split(_raw, " "), 2, -2) ``` retrieve segments related to redundancy group ``` | mvexpand data ``` treat them as own events ``` | eval data = split(data, " ") ``` take advantage of fixed line order ``` | eval node = mvrange(1,3) | eval data = mvmap(node, mvindex(data, 0) . "," . mvindex(data, node)) ``` compose display lines ``` | mvexpand data ``` optional - make each line its own row ```  Again, I used this for emulation: | makeresults | eval _raw = "Nov 27 13:36:45 Monitor Failure codes: CS Cold Sync monitoring FL Fabric Connection monitoring GR GRES monitoring HW Hardware monitoring IF Interface monitoring IP IP monitoring LB Loopback monitoring MB Mbuf monitoring NH Nexthop monitoring NP NPC monitoring SP SPU monitoring SM Schedule monitoring CF Config Sync monitoring RE Relinquish monitoring IS IRQ storm Cluster ID: 1 Node Priority Status Preempt Manual Monitor-failures Redundancy group: 0 , Failover count: 0 node0 200 primary no no None node1 2 secondary no no None Redundancy group: 1 , Failover count: 2 node0 200 primary no no None node1 20 secondary no no None Redundancy group: 2 , Failover count: 2 node0 200 primary no no None node1 2 secondary no no None {primary:node0}" | fields - _time ``` data emulation above= ``` You can verify that the output is exactly what you prescribed when you combine this with the above. ... View more

Re: How to perform a regex where grouping multiple...

by in Splunk Search
‎11-28-2022 08:57 AM
‎11-28-2022 08:57 AM
@bowesmana    quick question on this output. how can i modify it, if there are multiple Temperature fields under node0? how can i capture the other Temperature values under the same node #? | rex max_match=0 "(?s)(?<nodeNum>node\d+):.*?Temperature\s+(?<temp>[^\n]*)" | eval Temps=mvzip(nodeNum, temp, "=")   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-06-2023 10:13 AM
Karma given to