1/16/2024 0 Comments Splunk rex in macroIndex=_internal method=POST sourcetype=splunkd_ui_access uri_path=/en-US/manager/search/admin/macros/my_*indexes | rex field=uri_path "\/en-US\/manager\/search\/admin\/macros\/(?. So my current version of search is below and I am looking the way how I can add the previousDefinition of macro before it was edited. | rest /servicesNS/-/-/admin/macros splunk_server=local |search title= Only what I can get the current definition is by How can I add more details to it like what the current and previous definition for each of macro. Index=_internal method=POST sourcetype=splunkd_ui_access uri_path=/en-US/manager/search/admin/macros/my_*indexes | rex field=uri_path "\/en-US\/manager\/search\/admin\/macros\/(?.*)" |table _time host user macro I personally think the FIRST way is way cleaner and easier to follow.Can someone please help me here :I have a search giving me the details of users who modified macros New search using macro: index=foo sourcetype=yapache_access host=bar | fields url,duration `CleanUpURL` stats count, avg(duration) as servertime by url | where count>100 | sort 100 -servertime I usually do it the way I describe, but you could also do it this way: You obviously have to keep them in the MIDDLE of your macro, it's just the ones at the ends. One tip: watch your leading and trailing pipes | - you can include them in the macro or not, but stay consistent. If you name it 'CleanUpURL' then you can call it in your actual search (or someone else can) like so: index=foo sourcetype=yapache_access host=bar | fields url,duration | `CleanUpURL` | stats count, avg(duration) as servertime by url | where count>100 | sort 100 -servertime You can probably take that entire pile of rex. l4sdeobfuscate definition rex modesed fieldraw s/25//g s/24//g s/7b. Still, here's what I'd do: create a macro! This macro will run against the raw field and will output the cleaned log. How to use a token for a rex in Splunk Ask Question Asked 856 times 2 I have a token tokenrex set up as follows in the dashboard: mvjoin (mvmap tokenkeywordsmv,' (<'.tokenkeywordsmv.'>'.tokenkeywordsmv.But I don't think this is what you need because you are "erasing" parts of a line, and unless you want to erase the actual stuff in the event sort-of-permanently, this might be difficult. There's a great document by the docs team to Create and maintain search-time field extractions through configuration files. I tried searching the docs and the forums before asking this. So, two questions:ġ) is defining a new calculated field via the UI: " Fields » Calculated fields » Add new" the way to go?Ģ) if so, how to do I do it? I haven't found an example that shows me how to fill out that form when a chain of rex's is what defines my new field.Īpologies if this is detailed somewhere handy. the last Module Course Objectives : Module 1 - Splunk Introduction Module 2. I would like to share out this flattening of the url to other users on the team in a convenient to use way. extracting fields using REX, creating tags and eventtypes, using macros. This search groups urls by replacing embedded id's and dates, etc with constants so that I can look at requests that have at least 100 uses, and then sort them by their mean servertime to find slow requests. I have a search that looks like: index=foo sourcetype=yapache_access host=bar | fields url,duration | rex field=url mode=sed "s//_HASH/g" | rex field=url mode=sed "s/ysp_user_agent=+//g" | rex field=url mode=sed "s/oauth+=+//g" | rex field=url mode=sed "s/(\d\d\d\d-\d\d-\d\d)/YYYY-MM-DD/g" | rex field=url mode=sed "s/()(\d+)/\1_ID/g" | stats count, avg(duration) as servertime by url | where count>100 | sort 100 -servertime
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |