Re: Evaluate on column in space and tab delimited ...

HelloItsMe76 · ‎05-17-2023

Hello all.

I have a log file that looks like this;

PROCESS UP STATUS RESTARTS AGE
PROCESS1 2/2 Running 0 6d19h
PROCESS2aaa 2/2 Completed 0 7d6h
PROCESS3 0/1 Running 6 6d19h

I am trying to evaluate on the RESTART colum. The length of the process name is not consistent and some files are tab delimited and some are space delimited.

I cant get my rex command to work. Any help would be very appreciated.

ITWhisperer · ‎05-17-2023

Try something like this

| rex "(?<PROCESS>\S+)\s+(?<UP>\S+)\s+(?<STATUS>\S+)\s+(?<RESTARTS>\S+)\s+(?<AGE>\S+)"

HelloItsMe76 · ‎05-22-2023

Hey, thanks for the reply. that basically just returns whats already there. I would like to show the data as a table and be able to filter and return rows where, for example, AGE <2. At the moment it doesnt seem to recognise that data as a table and hence i cant filter on AGE, or other columns.

ITWhisperer · ‎05-22-2023

If the rex is not extracting the fields (which would be shown as columns in a table), then the rex expression (based on your sample data) does not match your real data.

Please provide an accurate representation of your actual event data, preferably in a code block </> to reduce formatting corruption.

How do I evaluate on column in space and tab delimited logs?

rex

table

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk