topic Re: How do i merge rex command to accommodate different set of events coming from same source ? in Splunk Search

How do i merge rex command to accommodate different set of events coming from same source ?

georgear7 — Mon, 16 Nov 2020 14:39:08 GMT

I have below 3 different set of events coming from same source. So i have extracted the field using rex command for each type of event. This is working fine when i use each 'rex' command separately. But when i combine all 3 rex commands, it's giving me 0 results. Is there any way to fix this ?

host01u,UAT,2300970,app.rmkb.hk-122,,Deployment Success
host01u,UAT,2319971,app.bww.label-34,HOLD,Deployment Success
host02u,UAT,2319237,app.static-540,No_File

My Query:
index=foo source=status.list
| rex field=_raw "(?<Server>\w+.*)\,(?<Environment>\w+.*)\,(?<Req>\d+.*)\,(?<Package>\w+.*)\,(?<Command>)\,(?<Deploy_Status>\w+.*)"
| rex field=_raw "(?<Server>\w+.*)\,(?<Environment>\w+.*)\,(?<Req>\d+.*)\,(?<Package>\w+.*)\,(?<Command>\w+.*)\,(?<Deploy_Status>\w+.*)"
| rex field=_raw "(?<Server>\w+.*)\,(?<Environment>\w+.*)\,(?<Req>\d+.*)\,(?<Package>\w+.*)\,(?<Deploy_Status>\w+.*)"
| stats latest(*) as * by Server,Environment,Package
| table Server,Environment,Req,Package,Deploy_Status
| dedup Server,Environment,Req,Package,Deploy_Status
| stats count by Deploy_Status

Re: How do i merge rex command to accommodate different set of events coming from same source ?

ITWhisperer — Mon, 16 Nov 2020 15:31:57 GMT

Try this single rex

| rex "^(?<Server>[^\,]+)\,(?<Environment>[^\,]+)\,(?<Req>[^\,]+)\,(?<Package>[^\,]+)\,(?<Command>[^\,]*)(|\,(?<Deploy_Status>[\w\s]*))$"

Re: How do i merge rex command to accommodate different set of events coming from same source ?

georgear7 — Mon, 30 Nov 2020 03:19:30 GMT

@ITWhisperer Thanks for your reply. This is working fine when i get all 3 types of events. But there are times in which i will get only below type of event. In this case, the given rex command is not working. Can you advise ?

host02u,UAT,2319237,app.static-540,No_File

Re: How do i merge rex command to accommodate different set of events coming from same source ?

ITWhisperer — Mon, 30 Nov 2020 08:31:33 GMT

The expression works with the string when used in regex101.com. Please can you post your query as you have it at the moment?

Re: How do i merge rex command to accommodate different set of events coming from same source ?

georgear7 — Thu, 03 Dec 2020 05:22:18 GMT

Below is my current query.

index=foo source=status.list
| rex "^(?<Server>[^\,]+)\,(?<Environment>[^\,]+)\,(?<Req>[^\,]*)\,(?<Package>[^\,]+)(|\,(?<Command>[^\,]*))(|\,(?<Deploy_Status>[\w\s]*))$"
| stats latest(*) as * by Server,Environment,Package
| table Server,Environment,Req,Package,Deploy_Status
| dedup Server,Environment,Req,Package,Deploy_Status
| stats count by Deploy_Status

Re: How do i merge rex command to accommodate different set of events coming from same source ?

ITWhisperer — Thu, 03 Dec 2020 09:41:46 GMT

You put in some extra characters which weren't in my suggestion

| rex "^(?<Server>[^\,]+)\,(?<Environment>[^\,]+)\,(?<Req>[^\,]*)\,(?<Package>[^\,]+)(|\,(?<Command>[^\,]*))(|\,(?<Deploy_Status>[\w\s]*))$"

Re: How do i merge rex command to accommodate different set of events coming from same source ?

georgear7 — Fri, 04 Dec 2020 02:20:12 GMT

Your suggestion didn't help me to capture below type of events. So i have done those changes.

host02u,UAT,2319237,app.static-540,No_File