Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Split unix commands

dwibedi03
Explorer
‎08-06-2020 12:03 PM

There is a command fields in my logs and consists of unix commands.

One value is 

/usr/bin/ssh -q -o ConnectTimeout=5 -o BatchMode=yes zevsbdr66599.prodb.cally.org netstat -rn

I am looking to extract netstat -rn. 

Can someone provide me a way to split ?

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 12:44 PM

May be because of double quotes using in rex. Remove and input them from your keyboard. 

107B04E0-D2A4-4346-B7D0-4CA369641F71.png

————————————
If this helps, give a like below.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mfasciano_splun
Splunk Employee
Splunk Employee
‎08-06-2020 12:43 PM

Are you looking to extract the field in a query through spl or are you trying to do a field extraction on ingest of the log data?

For the first you would add a field extraction in your props.conf file.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Exampleconfigurationswithprops.conf

For the second you would use the rex command as suggested.  

https://docs.splunk.com/Documentation/SCS/current/SearchReference/RexCommandExamples

The regex you would use depends on how consistant your logs are and if you could define a regex to match all of the logs you are concerned with.  Here is an example of what might work if all of your logs had the command at the end of the line:

| rex field=_raw “(?<command>[\w]+\s[-\w]*)$”

The above regex is not perfect.  You'll have to account for a command with and without arguments.  The above regex isn't perfect if your command doesn't have -xyz arguments.  

Reply
Solved! Jump to solution

dwibedi03
Explorer
‎08-06-2020 12:45 PM

Thanks for your reply. I will check it out.

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 12:18 PM

I am assuming all your commands at end of line.

 

| rex “(?<command>[\w]+\s[-\w]+)$”

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

dwibedi03
Explorer
‎08-06-2020 12:22 PM

@thambisetty  tried your solution. It throws error.

0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 12:44 PM

May be because of double quotes using in rex. Remove and input them from your keyboard. 

107B04E0-D2A4-4346-B7D0-4CA369641F71.png

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

dwibedi03
Explorer
‎08-06-2020 12:46 PM

Yes, i got to make it work. However it is not accounting for all the commands. I will  improvise. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...