Could you help me extract file name in table format.
Here the below field just before file name is always constant. "Put File /test/abc/test/test/test to /test/test/test/test/test/test/test/test/test/test destFolderPath: /test/test/test/test/test/test/test/abc/def/hij"
This is an event from splunk
2021-04-08T01:03:40.155069+00:00 somedata||someotherdata||..|||Put File /test/abc/test/test/test to /test/test/test/test/test/test/test/test/test/test destFolderPath: /test/test/test/test/test/test/test/abc/def/hij/CHARGEBACK_20210407_060334_customer.csv
Result should be in table format: (font / format doesnt matter)
File Name
CHARGEBACK_20210407_060334_customer.csv
Assuming the original event/field ends with the file name, you should use this regular expression:
(?<file_name>[^\/]+)$
This will extract the text between the last "/" and the end of the event/field ("$").
You can test it here: https://regex101.com/r/J6bU3m/1
Now you can use Splunk's rex command to extract fields at search-time:
| makeresults
| eval _raw="2021-04-08T01:03:40.155069+00:00 somedata||someotherdata||..|||Put File /test/abc/test/test/test to /test/test/test/test/test/test/test/test/test/test destFolderPath: /test/test/test/test/test/test/test/abc/def/hij/CHARGEBACK_20210407_060334_customer.csv"
| fields - _time
| rex field=_raw "(?<file_name>[^\/]+)$"
Alternatively, you could also use this regular expression since you mentioned that the file path is always the same:
| rex field=_raw "abc\/def\/hij\/(?<file_name>.+)"
Related
I have a Splunk Dashboard. This dashboard has a Text input where the user can enter a path. After entering the input, I would like to apply some conditional logic to the path input by the user before the search is executed. Is this possible in Splunk? Is there a way for me to take the Text input (i.e. path) and do something like:
var parameter1 = "value-a";
if (path == "/endpoint-1")
parameter1 = "value-b";
else if (path == "/endpoint-2")
parameter1 = "/endpoint-3";
// Execute search with parameter1
Thank you.
Subsearches!
Eg:
index=data [
| makeresults 1
| eval path="$inputToken$"
| eval parameter1=case(
path="/endpoint-1","value-b,
path="/endpoint-2","/endpoint-3")
| fields parameter1
| format]
the subsearches are run before the main search, and alter that main search.
the main search here after the subsearch would be something like.
index=data parameter1="value-b"
Related reading to help on your sub search journey
https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Useasubsearch
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Return
I have the below string in logs with multiple delimiters (: = and #). I am expecting all the values in tabular formate like
tenant |countryCode |deviceType |platformID|paymentMethod1|paymentMethod2|userAgent
XYZ | US | IOS |13 |p1 |p2 |Mozilla /20.0.553 Mozilla/5.0
logs string
TrackingLogs tenant=XYZ, countryCode=US, deviceType:IOS, platformID:13,currency=USD, paymentMethods:P1 # P1 # P2 # P2 # P4 # , userAgent:Mozilla /20.0.553 Mozilla/5.0
I tried for ':' but no result
search string| rex field=_raw "deviceType\:\s+?(?<deviceType>\S+)" |table deviceType
for = I used below query it worked but don't know how to combine it with : and #
search trackinglog | rex field=tenant "(?<tenant>[^\.]*)\.[a-zA-Z]"| table _raw tenant, countryCode , currency , paymentMethods
The problem with the first query is not the separator, but the regex itself. It expects a space where none exists. This variation works:
| rex field=_raw "deviceType:\s*?(?<deviceType>\S+)" |table deviceType
For better results, however, try the extract command.
| extract pairdelim="," kvdelim=":="
My log messages
.o.s.c.PaymentMethodInstrumentController : Exiting ServiceController.getMyServiceDetails() : elapsedTime(ms):34, xrfRequestId:c3b5878d-8795-49cb-b6a7-51ab02789f46, xCorrelationId:786d68ea-ze46-42b9-966f-124f2eb444f6, xForwardedFor:10.242.79.96
.o.s.c.PaymentMethodInstrumentController : Exiting ServiceController.getMyServiceDetails() : elapsedTime(ms):39, xrfRequestId:c3b2c08d-6c6d-49cb-b6a7-51a89897446, xCorrelationId:78676yt64-ze46-42b9-966f-124f2eb444f6, xForwardedFor:10.242.79.96
I am looking to extract elapsedTime(ms):34 and generate the line graph of these values.
Assuming you already have _time, something like that:
<your search>
| rex "elapsedTime(ms):(?<elapsedTime>\d+),"
| table _time elapsedTime
{
index:"myIndex",
field1: "myfield1",
field2: {"subField1":"mySubField1","subField2":145,"subField3":500},
...
..
.
}
SPL : index:"myIndex" eval result = if(field.subField2) .....
is the dot operator works in SPL ?
I am assuming your data is in JSON format. If so, you can use spath to extract fields from your structured data. Then just check if the field is present or not with isnotnull
index="myIndex" | spath | where isnotnull(field2.subField2)
Presuming your data is in JSON format, this should do it:
index=myIndex sourcetype=srctp field2{}.subField2=*
If those are multivalue fields, you'll need to do an mvexpand first
In the below event "status" key has the value either "1" or "0".
I am looking out to extract those "status" having the value "0" and put them in a field
please help me out in getting a regular expression for this.
- 2017-02-14 18:47:28.572 INFO SomePlaceHolder-5 [.abc.def.nothingishere] - string response: <200 OK,{"clips":[{"myid":"123456","historyid":"777-888-999","provider":"somecompany","status":1,"userType":1}]},{X-Backside-Transport=[OK OK], Connection=[Keep-Alive], Transfer-Encoding=[chunked], Content-Type=[application/json], X-Powered-By=[ARR/3.0,ASP.NET], Date=[Tue, 14 Feb 2017 18:47:28 GMT], X-Client-IP=[10.0.0.0.], X-Global-Transaction-ID=[9876543]}>
Presuming Splunk hasn't already extracted these automatically (it looks close to JSON, perhaps), this will do it:
index=ndx sourcetype=srctp
| rex field=_raw "status\":(?<status>\d+)"
| search status=0