Usage of Splunk commands : EREX
Usage of Splunk commands : EREX is as follows
- Erex command is used for field extraction in the search head when you don’t know the regular expression to use.
- This command extract those field values which are similar to the example values that you specify.
Find below the skeleton of the usage of the command “erex” in SPLUNK :
erex [<field>] examples=<string> [counterexamples=<string>] []
Suppose we are getting the raw data from any of our indexes. So we want to extract the fields from that raw log. Below we have given a sample.
From the above data we want to extract the values like “GET” and “POST” values in “METHOD” field.
Example:
index=_internal sourcetype=splunkd_ui_access | erex METHOD examples="GET , POST" | table METHOD | dedup METHOD
Result:
Explanation:
In the above query “_internal” is the index name and sourcetype name is “splunkd_ui_access”. By the “erex” command we have extracted the “METHOD” field taking examples values like “GET” , “POST” . By the “table” command we have taken the “METHOD” field and by the “dedup” command we have removed the duplicate values.
Note:
If you click on the job menu then you will be able to see the regular expression based on your examples.You can also use that “rex” command with the regular expression instead of the “erex” command.
The regular expression for this above search example is
| rex “(?i)^[^\+]*\+\d+\]\s+\”(?P<METHOD>[^ ]+)”
Now you can effectively utilize “erex” command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : EREX
HAPPY SPLUNKING !!