1/17/2024 0 Comments Splunk rex in macro![]() ![]() I personally think the FIRST way is way cleaner and easier to follow. New search using macro: index=foo sourcetype=yapache_access host=bar | fields url,duration `CleanUpURL` stats count, avg(duration) as servertime by url | where count>100 | sort 100 -servertime I usually do it the way I describe, but you could also do it this way: You obviously have to keep them in the MIDDLE of your macro, it's just the ones at the ends. One tip: watch your leading and trailing pipes | - you can include them in the macro or not, but stay consistent. If you name it 'CleanUpURL' then you can call it in your actual search (or someone else can) like so: index=foo sourcetype=yapache_access host=bar | fields url,duration | `CleanUpURL` | stats count, avg(duration) as servertime by url | where count>100 | sort 100 -servertime l4sdeobfuscate definition rex modesed fieldraw s/25//g s/24//g s/7b. You can probably take that entire pile of rex. This macro will run against the raw field and will output the cleaned log. Still, here's what I'd do: create a macro! ![]() ![]() You can use macros to search multiple indexes without having to enter indexa OR indexb OR indexr every time. In Splunk terms, macros are Knowledge Objects. But I don't think this is what you need because you are "erasing" parts of a line, and unless you want to erase the actual stuff in the event sort-of-permanently, this might be difficult. What are Splunk Macros A macro is a short command that can be used to replace parts of or all of search strings to make your SPL searches shorter and easier to understand. There's a great document by the docs team to Create and maintain search-time field extractions through configuration files. I tried searching the docs and the forums before asking this. So, two questions:ġ) is defining a new calculated field via the UI: " Fields » Calculated fields » Add new" the way to go?Ģ) if so, how to do I do it? I haven't found an example that shows me how to fill out that form when a chain of rex's is what defines my new field.Īpologies if this is detailed somewhere handy. I would like to share out this flattening of the url to other users on the team in a convenient to use way. This search groups urls by replacing embedded id's and dates, etc with constants so that I can look at requests that have at least 100 uses, and then sort them by their mean servertime to find slow requests. I have a search that looks like: index=foo sourcetype=yapache_access host=bar | fields url,duration | rex field=url mode=sed "s//_HASH/g" | rex field=url mode=sed "s/ysp_user_agent=+//g" | rex field=url mode=sed "s/oauth+=+//g" | rex field=url mode=sed "s/(\d\d\d\d-\d\d-\d\d)/YYYY-MM-DD/g" | rex field=url mode=sed "s/()(\d+)/\1_ID/g" | stats count, avg(duration) as servertime by url | where count>100 | sort 100 -servertime (The stats count at the beginning of the subsearch is just a dummy search, it's just there to be able to run the eval). ![]() In this case we just want to remove all parantheses so we just set empty strings for everything: Thankfully you can change the format that's used by the subsearch when returning results, by invoking the command format with the proper parameters at the end. We can't use this output right away in your scenario though because of the parantheses. Would return something like ((foo="bar")) octet this would match only numbers from 0-255 (one octet in an ip) REGEX (:2(:50. We're going to be using that subsearches treat the fields "query" and "search" differently than other field names in the way that the field names aren't used in the output. You can also use the modular regular expression in field extractions. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |