Multiple matches apply to the repeated application of the whole pattern. If greater than 1, the resulting fields are multivalued fields. Default: _raw max_match Syntax: max_match= Description: Controls the number of times the regex is matched. Optional arguments field Syntax: field= Description: The field that you want to extract information from. Sed mode supports the following flags: global (g) and Nth occurrence (N), where N is a number that is the character location in the string. sed-expression Syntax: "" Description: When mode=sed, specify whether to replace strings (s) or substitute characters (y) in the matching regular expression. mode Syntax: mode=sed Description: Specify to indicate that you are using a sed (UNIX stream editor) expression. Regex-expression Syntax: "" Description: The PCRE regular expression that defines the information to match and extract from the specified field. Rex ( ) | ( mode=sed ) Required arguments Use the rex command for search-time field extraction or string replacement and character substitution. Running the rex command against the _raw field might have a performance impact. If a field is not specified, the regular expression or sed expression is applied to the _raw field. Read about using sed to anonymize data in the Getting Data In Manual. This sed-syntax is also used to mask, or anonymize, sensitive data at index-time. When mode=sed, the given sed expression used to replace or substitute characters is applied to the value of the chosen field. The rex command matches the value of the specified field against the unanchored regular expression and extracts the named groups into fields of the corresponding names. Index=bigdata | eval _dstpath=strftime(_time, "%Y%m%d/%H") + "/" + host | dump basefilename=MyExportĮxample 2: Export all events from index "bigdata" to the local disk with "MyExport" as the prefix of export filenames.Use this command to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions. Partitioning of the export data is achieved by eval preceding the dump command. See Define roles on the Splunk platform with capabilities.įor more information about risky commands, see SPL safeguards for risky commands.Įxample 1: Export all events from index "bigdata" to the location "YYYYmmdd/HH/host" at "$SPLUNK_HOME/var/run/splunk/dispatch//dump/" directory on local disk with "MyExport" as the prefix of export filenames. To use this command, you must have a role with the run_dump capability. The dump command preserves the order of events as the events are received by the command.ĭump is considered to be a potentially risky command. This command recognizes a special field in the input events, _dstpath, which if set is used as a path to be appended to the dst directory to compute the final destination path. This command exports events to a set of chunk files on local disk at "$SPLUNK_HOME/var/run/splunk/dispatch//dump". Default: raw rollsize Syntax: rollsize= Description: The minimum file size, in MB, at which point no more events are written to the file and it becomes a candidate for HDFS transfer. Default: 2 format Syntax: format= raw | csv | tsv | json | xml Description: The output data format. Specify a number from 0 to 9, where 0 means no compression and a higher number means more compression and slower writing speed. Optional arguments compress Syntax: compress= Description: The gzip compression level. The entire list must be enclosed in quotation marks. fields Syntax: fields= Description: A list of the fields to be exported. Syntaxĭump basefilename= fields= Required arguments basefilename Syntax: basefilename= Description: The prefix of the export filename. See SPL safeguards for risky commands in Securing the Splunk Platform. As a result, this command triggers SPL safeguards. This command is considered risky because, if used incorrectly, it can pose a security risk or potentially lose data when it runs. Seeįor Splunk Enterprise deployments, export search results to a set of chunk files on local disk.įor information about other export methods, see Export search results in the Search Manual. The dump command is an internal, unsupported, experimental command.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |