topic Re: Regex Query Help: Need to Write a regex query for my log in Splunk Search

Regex Query Help: Need to Write a regex query for my log

mintughosh — Tue, 29 Sep 2020 19:54:49 GMT

Below given is one section of an event. The event has multiple such sections. I want to write a regex search query so that I can fetch the 3 fields from the below given log
1) 'Tableau Server (Service) ' (PD) is (Status).

2018-05-25 02:21:30.270 -0500_EXACT_10.218.108.14:RTEEPK08_:pid=12466_0x4364712fuser=request=_ RTEEPK08:
Status: DEGRADED
'Tableau Server Data Engine' (7653) is running.
'Tableau Server Coordination Service 0' (7633) is running.
'Tableau Server Search and Browse 0' (2542) is running.
'Tableau Server Tabadmin Service 0' (25262) is running.
'Tableau Server Gateway' (252564) is running.
'Tableau Server Cluster Controller' is stopped.
'Tableau Server Repository' status is not available.
'Tableau Server File Store' status is not available.

RTEEPK09:
Status: STOPPED
RTEEPK10:
Status: STOPPED

I already wrote a regex query to extract it in the form of table for host and Status. But I am having problems in writing the regex query for 'Tableau Server (Service)' (PD) is (Status).

Extract - (Service), (PD) and (Status)

Thank you
Note: This is a sample modified log file

Re: Regex Query Help: Need to Write a regex query for my log

FrankVl — Thu, 14 Jun 2018 07:59:42 GMT

Following should work:

| rex max_match=0 "Tableau Server (?<Service>[^']+)'\s*\(?(?<PD>\d+)?\)?\s+(?:is|status\s+is)\s+(?<Status>[\w\s]+)\."

https://regex101.com/r/pwEJae/1

Only trouble with this: it gets the data into multi valued fields which means that you loose a reliable connection between the different parts of each line. So you might want to consider splitting this into individual events for each line, before extracting the individual fields.

Re: Regex Query Help: Need to Write a regex query for my log

mintughosh — Thu, 14 Jun 2018 09:39:39 GMT

It gives me the following error.
Error in 'rex' command: The regex 'max_matches=0' does not extract anything. It should specify at least one named group. Format: (?...).

Should I be adding something more to that query ?

Re: Regex Query Help: Need to Write a regex query for my log

493669 — Thu, 14 Jun 2018 09:58:57 GMT

try max_match=0 instead of max_matches=0

Re: Regex Query Help: Need to Write a regex query for my log

mintughosh — Thu, 14 Jun 2018 10:23:05 GMT

Tried but not getting the results as expected. I am not able to fetch the (Service), (PD) and (Status).

Re: Regex Query Help: Need to Write a regex query for my log

mintughosh — Thu, 14 Jun 2018 10:35:14 GMT

Ok. My issue is Resolved. I have added few more parameter and then followed by query Frank Suggested and then i added table to it

Re: Regex Query Help: Need to Write a regex query for my log

FrankVl — Thu, 14 Jun 2018 10:59:20 GMT

Good catch, updated that in my answer.