![]() ![]() |table date host user command(enable) status(success) And get those results to a table look like I tried hard but could not find a query to merge all these data (indexes and hosts) to find out who ran enable command successfully at what time on which host. index=linux_logs host=gsw-03-tacacs enable* index=linux_logs host=edc-03-tacacs enable* I run the below 1,2,3 queries on the given datasets to find out which users ran the enable command on which host at what time: The reason is that when trying to eval a field based on a filed that doesn't exist in the data, the eval will fail and you'll end up with empty field. If you'll notice, I've added an if clause to the eval function. | eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status + if(isnotnull(user)," "+user,"") Index=windows_log host=abc-05-hiddencam logged* ![]() I’ll also reveal one secret command that can make this process super easy. In my experience, rex is one of the most useful commands in the long list of SPL commands. I’ll provide plenty of examples with actual SPL queries. This query captures the logg on and logg off status of the service. In this article, I’ll explain how you can extract fields using Splunk SPL’s rex command. I have 2 separate queries that I built using Rex.ġ. I have another issue now, which I hope you would help me get solved. I now learnt how to build up regex queries on my own after your explanations and analysis of the queries you built for me, a huge thank you for that. This one will match anything that is not a front slash ( /) up to the series of whitespaces followed by HTTP all into the new field fname.Hi hope you are doing really well and thank you for helping me solve my previous issues. Or, optionally (though more steps to find the match, it might be better in your case): | rex field=_raw "(?+)\s+HTTP" , -, and any word character ( \w) as many times as they are found before a sequence of whitespace characters ( \s+) followed by the string literal HTTP into the new field fname. If you only want the ending filename, this is it: | rex field=_raw "(?+)\s+HTTP" I am struggling because of the special format of the timestamp with T and Z included in it. Start at the string literal GET, go one (or more) whitespaces, then put everything that's not a whitespace character (up until a whitespace sequence that ends in the string literal HTTP) into the new field fname.įunctionally, you can leave off the \s+HTTP from the regex, but for fullness' sake, you may want to choose to leave it in there. But what I struggle now is to convert the timeStamp -string to date format to get at the end the min (timeStamp) extracted in order to compute the difference between the events time and the min (timeStamp) by the id field. If you want what's between the GET and HTTP, this will do it: | rex field=_raw "GET\s+(?\S+)\s+HTTP" ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |