topic Re: Regular expression in log message in Splunk Search

Regular expression in log message

nanachu — Fri, 04 Oct 2019 05:08:20 GMT

I'm struggling now.
Could you please help me?

There are two hosts. they have same log data.

the host name is different but the same data is indexed.
host 1 is the master.
If host 1 fails, 2 becomes the master.

If an alert is created as it is, two alerts will be created for the same event. So I am trying to make the same event into one using dedup.

There is a message in the log, only the number changes.

Error message ××× occur

I want to create field to use dedup.
I know it is wrong but I want to do like this one.

message = "Error message \ d \ d \ d occur"
| dedup message

I can't come up with a way.

Could you help me?

Thank you.

Re: Regular expression in log message

Sfry1981 — Fri, 04 Oct 2019 07:47:53 GMT

Hi @nanachu

Does what you state about the dedup not work as this should eliminate any duplicate messages and always just pick one from the first host?

Also on the alert you can add a throttle so the same alert is not triggered twice?

You also mentioned about regular expression in the log message. Do you mean you have created a regex to extract from the raw data t get this info?

Re: Regular expression in log message

aholzel — Fri, 04 Oct 2019 08:44:11 GMT

If the number changes than the message is not the same. That is why you still see both messages. What you can do is a replace, to remove the number and than do the dedup. something like this based on the layout of the message field you provided:

| eval message=replace(message, "([^\d]*)(\d*\s*\d*\s*\d*)(.*)","\1\3")

Re: Regular expression in log message

nanachu — Fri, 04 Oct 2019 08:51:55 GMT

Thank you for helping me.
Sorry, my English is bad.

I can not create field like
because
|eval message = "Error message * * * occur" does not work.
so, I want to know how to create field that put a regular expression in message.