topic Re: RegEx help in Splunk Search

RegEx help

jerinvarghese — Mon, 08 Jun 2020 21:19:00 GMT

Hi All,

need help in getting a regex code for the below message.

2020-04-04T15:08:01+00:00 usdaldc <44>  %WAAS-HTTPAO-4-131001: (843570) worker pool isn't healthy
2020-04-04T15:08:01+00:00 usdaldc <43>  %WAAS-HTTPAO-3-131003: (843509) AOSHELL worker thread (28814 0.0) stuck for 650000 msec: start 0x7feedd6aa880(/cisco/lib64/libaoshell.so+0x50880), callback 0x4a6140(/sw/unicorn/bin/http_ao64+0xa6140)

wanted data format: in tabular wrt to the above alarm

Device  Alarm   Message
usdaldc WAAS-HTTPAO worker pool isn't healthy
usdaldc WAAS-HTTPAO AOSHELL worker thread

please help me with the code.

Re: RegEx help

gcusello — Mon, 06 Apr 2020 16:27:16 GMT

Hi @jerinvarghese,
Try this:

| rex "\d{4}-\d{2}-\d{2}T\d\d:\d\d:\d\d+\+\d\d:\d\d\s+(?<device>[^ ]+)\s+\<\d+\>\s+\%(?<alarm>\w+-\w+)[^ ]*\s+\(\d+\)\s+(?<message>[^\(]+)((\s+\(\d+\s+)|$)"

that you can test at https://regex101.com/r/zuJBnj/1 .

Ciao.
Giuseppe

Re: RegEx help

jerinvarghese — Tue, 07 Apr 2020 12:17:27 GMT

I still have a challenge,

Yesterday i noticed some more other alarms comes in with a different pattern in messages. please help me.

COde that you shared me with the logs.....

 | rex field=_raw "\d{4}-\d{2}-\d{2}T\d\d:\d\d:\d\d+\+\d\d:\d\d\s(?<device>[^ ]+)\s<\d\d>\s\s%(?<alarm>\w+-\w+)[^ ]*\s+\(\d+\)\s+(?<Log>[^\(]+)((\s+\(\d+\s+)|)"

2020-04-04T15:08:05+00:00 usdaldc <44>  %WAAS-HTTPAO-4-131001: (143581) worker pool isn't healthy
2020-04-04T15:08:05+00:00 usdaldc <43>  %WAAS-HTTPAO-3-131003: (143528) AOSHELL worker thread

New alarms that I notice and the regex that i created.

    |rex fiel=_raw "\d{4}-\d{2}-\d{2}T\d\d:\d\d:\d\d+\+\d\d:\d\d\s(?<device>[^ ]+)\s<\d\d>\s\s%(?<alarm>\w+-\w+)[^ ]\d-\d{6}:\s(?<message>[^\(]+)"

2020-04-07T11:33:08+00:00 bempp <43>  %WAAS-NODEMGR-3-330105: Keepalive problem: Could not register nodemgr. [7]
2020-04-07T11:11:29+00:00 gbfaw <43>  %WAAS-NODEMGR-3-330105: Keepalive problem: Could not register nodemgr. [7]

How can i merge both regex together.
When am using together.. complete output is gong wrong..

Re: RegEx help

gcusello — Tue, 07 Apr 2020 12:41:04 GMT

Hi @jerinvarghese,
the new log is different from the previous,
if it could be acceptable for you that the message is all the last part of the log, try tris:

| rex "\d{4}-\d{2}-\d{2}T\d\d:\d\d:\d\d+\+\d\d:\d\d\s(?<device>[^ ]+)\s<\d\d>\s\s%(?<alarm>\w+-\w+)[^ ]*\s+(\(\d+\)\s+)*(?<message>.*)"

that you can test at https://regex101.com/r/k3uJVl/1

Ciao.
Giuseppe