Nahkranoth
Reputation: 37
Finding multiple occurrences of a command in the Dashboard source
I've been trying to work with Regex in trying to find multiple occurrences of all the loadjob commands in the dashboard source code and have been struggling with this. Is this feasible?
Already tried knowing that loadjob savedsearch has "| loadjob savedsearch="user:app:jobname"
| rex field="source" max_match=0 ".*(?:b: loadjob.*=.*:.*:(?P<jobname>))\|* .*"
Source example (this is treated as a single line):
<form script="playground_v2.js" stylesheet="playground_v3.css">
<label>1st Line Clone</label>
<init>
<set token="PrioColor">0xfecb00</set> <set token="Prio1Color">0xe60000</set>
<set token="Prio2Color">0xa8b400</set> <set token="Prio3Color">0x9c2aa0</set>
<set token="Prio4Color">0xeb9700</set> <set token="Prio5Color">0x00b0ca</set>
</init>
<earliest>0</earliest> </search>
<search id="volume2">
<query> | loadjob savedsearch="reporting:fs_reporting:1st_Line_Volumes" | search Domain=$history_domain$ | eval month=if("$report$"=="raised",RaisedMonth,ResolvedMonth) | eval conta=if("$report$"=="raised and resolved" AND RaisedSameMonth==0,0,count) | where month>="$start_time$" AND month<="$end_time$" | eval _time=strptime(month."/01 00:00:00", "%Y/%m/%d %H:%M:%S") | stats sum(conta) as conta by _time, Priority
</query>
</search>
<search id="time2">
<query> | loadjob savedsearch="reporting:fs_reporting:1st_Line_Times" | search Domain=$history_domain$ | eval month=if("$report$"=="raised",RaisedMonth,ResolvedMonth) | where month>="$start_time$" AND month<="$end_time$" | eval _time=strptime(month."/01 00:00:00", "%Y/%m/%d %H:%M:%S")
</query>
</search>
<search id="sla2">
<query> | loadjob savedsearch="reporting:fs_reporting:1st_Line_SLA" | search Domain=$history_domain$ | eval month=if("$report$"=="raised",RaisedMonth,ResolvedMonth) | where month>="$start_time$" AND month<="$end_time$" | eval _time=strptime(month."/01 00:00:00", "%Y/%m/%d %H:%M:%S")
</query>
</search>
</form>
<form script="playground_v2.js" stylesheet="playground_v3.css"> <label>1st Line Clone</label> <init> <set token="PrioColor">0xfecb00</set> <set token="Prio1Color">0xe60000</set> <set token="Prio2Color">0xa8b400</set> <set token="Prio3Color">0x9c2aa0</set> <set token="Prio4Color">0xeb9700</set> <set token="Prio5Color">0x00b0ca</set> </init> <earliest>0</earliest> </search> <search id="volume2"> <query> | loadjob savedsearch="reporting:fs_reporting:1st_Line_Volumes" | search Domain=$history_domain$ | eval month=if("$report$"=="raised",RaisedMonth,ResolvedMonth) | eval conta=if("$report$"=="raised and resolved" AND RaisedSameMonth==0,0,count) | where month>="$start_time$" AND month<="$end_time$" | eval _time=strptime(month."/01 00:00:00", "%Y/%m/%d %H:%M:%S") | stats sum(conta) as conta by _time, Priority </query> </search> <search id="time2"> <query> | loadjob savedsearch="reporting:fs_reporting:1st_Line_Times" | search Domain=$history_domain$ | eval month=if("$report$"=="raised",RaisedMonth,ResolvedMonth) | where month>="$start_time$" AND month<="$end_time$" | eval _time=strptime(month."/01 00:00:00", "%Y/%m/%d %H:%M:%S") </query> </search> <search id="sla2"> <query> | loadjob savedsearch="reporting:fs_reporting:1st_Line_SLA" | search Domain=$history_domain$ | eval month=if("$report$"=="raised",RaisedMonth,ResolvedMonth) | where month>="$start_time$" AND month<="$end_time$" | eval _time=strptime(month."/01 00:00:00", "%Y/%m/%d %H:%M:%S") </query> </search> </form>
| rest /servicesNS/-/-/data/ui/views
| table Type author title eai:acl.app eai:data
| eval Type="Dashboards"
| rename author as Owner title as Name eai:acl.app as AppName eai:data as source search as source
| rex field="source" max_match=0 ".*(?:b: loadjob.*=.*:.*:(?P<jobname>))\|* .*"
What I wanted is to get All instances in dashboard source of "loadjob" and get its job name into field
Currently i'm not getting any results with it
Upvotes: 0
Views: 90
Answers (2)
Nahkranoth
Reputation: 37
Based off of Robo Mop's suggestion:
loadjob\s*.*?=(?<job>(?P<quote>\").*?(?P=quote))(?=\s*\|)
This will get the results that i want. Thanks a lot Robo Mop!
Upvotes: 0
Robo Mop
Reputation: 3553
I'm not really familiar with the tag rest, but based on your question, you seem to want loadjob savedsearch="..." as group 0. So here is some code you can try out:
loadjob\s*.*?=(?P<quote>['"]).*?(?P=quote)(?=\s*\|)
As seen here at regex101.com
It also takes care of a scenario where savedsearch is followed by a single quote ' instead of a double quotation mark "
Upvotes: 1
Related Questions
- Splunk : extract multiple values from each event
- Splunk query not endswith
- Splunk: How to use multiple regular expressions in one query?
- Splunk query to extract a number (time taken)
- Splunk rex: extracting repeating keys and values to a table
- Splunk: Trying to split multiline event at search time
- Splunk subsearch for regex outputs
- how can I find all dashboards in splunk, with usage information?
- RegEx in Splunk Search
- extracting command using regular expression