topic Re: What will be the Regex for creating the below alert? in Splunk Search

What will be the Regex for creating the below alert?

abhi04 — Tue, 29 Sep 2020 20:42:03 GMT

I have below two events which I hav separated by "=" line for better view.I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :

S:/PCTOOLS/085/CommLend/Comments/ad_hoc.ldb
S:/PCTOOLS/085/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/005/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/061/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/084/CommLend/Comments/romcomm.ldb

7/31/18
8:15:01.000 PM

S:/PCTOOLS/085/CommLend/Comments/ad_hoc.ldb
S:/PCTOOLS/085/CommLend/Comments/romcomm.ldb

Script Information:
Script LdbFileCheckerWE run on Admin Server: SAT1MVMAP263 and creates log at location:D:/PCTOOL/Logs/LDB/LdbFileLogsWE.txt
host = SAT1MVMAP263 source = D:\PCTOOL\Logs\LDB\LdbFileLogsWE.txt sourcetype = auto_preprod_ldb_log

===============================================================================================

7/31/18
8:15:00.000 PM

2018/07/31 19:15:00
Hello Ally\x96Hosting Windows Team,
Kindly refer below path,Server details and close below open user sessions:
Server Name: USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM
S:/PCTOOLS/005/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/061/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/084/CommLend/Comments/romcomm.ldb

How to do this?

I have used the below regex but it extracts only two:

rex field=_raw "(?<>S:\/.*)"

Re: What will be the Regex for creating the below alert?

sudosplunk — Wed, 01 Aug 2018 11:57:15 GMT

Hello,

Can you please explain more about this "I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :"
Also, there is no name for your name-capturing group in rex. Try this, rex field=_raw "^(?<put_some_fieldname>S:\/.*)"

Re: What will be the Regex for creating the below alert?

gcusello — Wed, 01 Aug 2018 12:06:54 GMT

Hi abhi04,
you could try something like this:

(?<file>\w:\/[^ ]*\.ldb)

that you can test at https://regex101.com/r/quFBpb/1

Bye.
Giuseppe

Re: What will be the Regex for creating the below alert?

abhi04 — Thu, 02 Aug 2018 08:17:27 GMT

This is not working
@cusello

Re: What will be the Regex for creating the below alert?

abhi04 — Thu, 02 Aug 2018 08:18:58 GMT

@nittala_surya, when I am adding the name _capture it wont show here, so you can assume any name in the <> .
Also the regex quoted by you does not work.

Re: What will be the Regex for creating the below alert?

sudosplunk — Thu, 02 Aug 2018 11:56:48 GMT

@abhi04, Firstly, I used the same regex (with ) you gave and it worked fine against your sample data. Did you check for the field under "Interesting Fields" section?
Secondly, you did not answer my question above. What do you mean by this "I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :" Do you want to extract the lines if event has "Server Name" only?

Re: What will be the Regex for creating the below alert?

abhi04 — Thu, 02 Aug 2018 12:04:50 GMT

You ignore the comment ""I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :".

I want to extract the lines with Server Name mentioned or not.

Re: What will be the Regex for creating the below alert?

sudosplunk — Thu, 02 Aug 2018 12:26:59 GMT

In that case the regex should definitely work! Please go to https://regex101.com/r/s96xpm/1 to validate regex against your sample.
And, I am still unsure of what your question is. Because, you have a working regex in your initial question. Can you explain where you're facing trouble?

Re: What will be the Regex for creating the below alert?

DalJeanis — Thu, 02 Aug 2018 14:47:39 GMT

I believe you just need to add max_match=0 to your | rex line, so that multiple copies of the regex match can occur in a single event.

Re: What will be the Regex for creating the below alert?

wanip — Tue, 29 Sep 2020 20:43:07 GMT

Hi,

Can you please try using the below, this will give you the count of that keyword appear in logs.

| rex field=_raw "(?i)\W(?PUSPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM)\W" | rename general_exception_type as Exception-Type| stats count by host, source,sourcetype, Exception-Type

Please try do let us know if that works.

Re: What will be the Regex for creating the below alert?

abhi04 — Fri, 03 Aug 2018 12:56:53 GMT

@nittala_surya - Yes, the regex is working fine when I tested in https://regex101.com/r/s96xpm/1 but wont extract all the lines in Splunk.

Re: What will be the Regex for creating the below alert?

abhi04 — Fri, 03 Aug 2018 14:07:14 GMT

thanks @DalJeanis, this works, but wanted to know why this was required. I have used regex previously for other patterns but never required this

Re: What will be the Regex for creating the below alert?

DalJeanis — Sat, 04 Aug 2018 01:50:30 GMT

@abhi04 - if a pattern is to match once, that parameter is not required. However, to use the same match multiple times in the same event, that parameter must be present. The other times that you didn't need it were probably because you were matching patterns that only mattered once.