USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMANDįor example the first and the 2nd record should be: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND I need to extract from this sample data all the following fields for each record: |table date host user command(enable) status(success) And get those results to a table look like I tried hard but could not find a query to merge all these data (indexes and hosts) to find out who ran enable command successfully at what time on which host. index=linux_logs host=gsw-03-tacacs enable* index=linux_logs host=edc-03-tacacs enable* Either way, the rex command would be something like this: rex fieldraw 'burlb ( +)s'.Oct 15 08:17:45 8279: 08:17:44.820 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:John logged command:!exec: enable Splunk should be automatically extracting all those field for you because of the '' delim I just tested the two lines you sent and everything was extracted automatically. I run the below 1,2,3 queries on the given datasets to find out which users ran the enable command on which host at what time: The reason is that when trying to eval a field based on a filed that doesn't exist in the data, the eval will fail and you'll end up with empty field. How extract field using rex karthi2809 Contributor 04-05-2023 10:00 PM How to extract fields in between servername Which i am using in rex \ \ (P
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |