topic Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line? in Splunk Search

How do you get the following search to return a piece of the process status rather than the whole output of the command line?

bsaujla131984 — Fri, 09 Nov 2018 05:24:43 GMT

I have set up a query to check the status of linux/unix processes for a number of processes. However, when it displays the results, it shows the whole output of the command line instead of showing the status of process.

For example, the search is to check the output of process ABCDEF. But when I run the query, it shows as below:-

://java/path/abc: ABCDEF:/export/path/...

Is there a way I can extract just the process name instead of the whole command line as output?

Thanks,

Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line?

sudosplunk — Fri, 09 Nov 2018 13:00:14 GMT

Hi, give this a try base_search | rex field=_raw "\:\s(?<just_process_name>\w+)\:" | table just_process_name

The regex will only work with the format specified in question. If you have multiple formats of how process name appear in logs, then provide samples of all possible formats and I will help with the regex that matches all.

Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line?

bsaujla131984 — Tue, 29 Sep 2020 22:02:27 GMT

Thanks for your input, I tried following searches, however it is not working as expected:-

Search1:- index=Unix_process host="xxxxxx" ABCDEF COMMAND=java | dedup process | rex field=_raw ":\s(? \w+):" | table ABCDEF

Error:- Error in 'rex' command: Encountered the following error while compiling the regex ':\s(? \w+):': Regex: syntax error in subpattern name (missing terminator)

Search 2:- index=Unix_process host="xxxxxx" ABCDEF COMMAND=java | dedup process | rex field=_raw ":\s(?ABCDEF \w+):" | table ABCDEF

Error:- Error in 'rex' command: Encountered the following error while compiling the regex ':\s(?ABCDEF \w+):': Regex: unrecognized character after (? or (?-

Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line?

sudosplunk — Mon, 12 Nov 2018 14:42:44 GMT

Hi,

Looks like there is no name capturing group in your rex statement. A name capturing group (including <> angular brackets) should be provided in order for rex to work.

Regex tested here.

Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line?

bsaujla131984 — Tue, 13 Nov 2018 03:40:38 GMT

Can anyone assist with this please?

Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line?

sudosplunk — Tue, 13 Nov 2018 13:05:30 GMT

Did you try the regex exactly as I provided. Use this search index=Unix_process host="xxxxxx" ABCDEF COMMAND=java | dedup process | rex field=_raw "\:\s(?<just_process_name>\w+)\:" | table just_process_name

Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line?

DalJeanis — Tue, 13 Nov 2018 22:21:16 GMT

For this kind of query, your fastest iteration on trying extraction language might be to get onto the Splunk Slack channel, the #regex subchannel, and ask for help there. It looks like sudosplunk is getting you close, but some kind of problem is persisting. They can help you down there pretty fast.

Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line?

mstjohn_splunk — Wed, 14 Nov 2018 21:33:13 GMT

hi @bsaujla131984

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line?

bsaujla131984 — Fri, 16 Nov 2018 02:43:33 GMT

Hi SudoSplunk, It is not working, error message :-

Error in 'rex' command: Encountered the following error while compiling the regex ':\s(?PROCESS_NAME\w+):': Regex: unrecognized character after (? or (?-

Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line?

bsaujla131984 — Fri, 16 Nov 2018 04:24:38 GMT

No, It did not work...

Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line?

sudosplunk — Tue, 29 Sep 2020 22:00:28 GMT

Hi,

Regex: unrecognized character after (? or (?-

Based on above error, I think you specified a name for capture group but not in the format what regex recognizes. Put PROCESS_NAME inside angular brackets. `| rex field=_raw ":\s(?\w+):" | table PROCESS_NAME

Link for working regex.

Re: How do you get the following search to return a piece of the process status rather than the whole output of the command line?

bsaujla131984 — Sun, 18 Nov 2018 01:32:17 GMT

I had tried in angular brackets, however it was giving error as below:-

Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?...).