topic Re: Regex not matching in Splunk Search

Why is my regex not matching?

michaelnorup — Tue, 28 Mar 2023 14:30:41 GMT

My regex from the message field looks like this.

| rex field=Message "\W(?<Hostname>\S+)\s\w+\W(?<Build>\S+)\s\w+\W(?<CpuCount>\S+)\s\w+\W(?<CpuTotalMhz>\S+)\s\w+\W(?<CpuUsageMhz>\S+)\s\w+\W(?<MemoryTotalMB>\S+)\s\w+\W(?<MemoryUsageMB>\S+)\s\w+\W(?<Version>\S+)" |

For some reason it matches and pulls out all the fields from this entry:

Message=Hostname=esx-pod1-nprd-112.mad.local Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=142 MemoryTotalMB=1048094.5625 MemoryUsageMB=9086 Version=7.0.3

But not from any other entries which could looks like this:

Message=Hostname=10.241.192.46 Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=8186 MemoryTotalMB=1048094.55859375 MemoryUsageMB=198624 Version=

Message=Hostname=esx-cl6-184.mad.local Build=19195723 CPUCount=20 CpuTotalMhz=49880 CpuUsageMhz=672 MemoryTotalMB=294587.2578125 MemoryUsageMB=52530 Version=

Re: Regex not matching

Gr0und_Z3r0 — Tue, 28 Mar 2023 10:02:54 GMT

hi @michaelnorup

Try this...

| makeresults | eval Message="Hostname=esx-pod1-nprd-112.mad.local Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=142 MemoryTotalMB=1048094.5625 MemoryUsageMB=9086 Version=7.0.3,Hostname=10.241.192.46 Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=8186 MemoryTotalMB=1048094.55859375 MemoryUsageMB=198624 Version=,Hostname=esx-cl6-184.mad.local Build=19195723 CPUCount=20 CpuTotalMhz=49880 CpuUsageMhz=672 MemoryTotalMB=294587.2578125 MemoryUsageMB=52530 Version=" | makemv Message delim="," | mvexpand Message | rex field=Message "Hostname\=(?<Hostname>[\w\-\.]+)\sBuild\=(?<Build>[\d]+)\sCPUCount\=(?P<CPUCount>[\d]+)\sCpuTotalMhz\=(?P<CpuTotalMhz>[\d]+)\sCpuUsageMhz\=(?P<CpuUsageMhz>[\d]+)\sMemoryTotalMB\=(?P<MemoryTotalMB>[\d\.]+)\sMemoryUsageMB\=(?P<MemoryUsageMB>[\d\.]+)\sVersion\=(?P<Version>.*)" | table Message Hostname Build CPUCount CpuTotalMhz CpuUsageMhz MemoryTotalMB MemoryUsageMB Version

~ If the reply helps a karma vote would be appreciated

Re: Regex not matching

gcusello — Tue, 28 Mar 2023 10:16:29 GMT

Hi @michaelnorup ,

please try this regex:

| rex field=Message "Hostname\=(?<Hostname>[^ ]*)\s+Build\=(?<Build>[^ ]*)\s+CPUCount\=(?<CPUCount>[^ ]*)\s+CpuTotalMhz\=(?<CpuTotalMhz>[^ ]*)\s+CpuUsageMhz\=(?<CpuUsageMhz>[^ ]*)\s+MemoryTotalMB\=(?<MemoryTotalMB>[^ ]*)\s+MemoryUsageMB\=(?<MemoryUsageMB>[^ ]*)\s+Version\=(?<Version>.*)"

Ciao.

Giuseppe

Re: Regex not matching

michaelnorup — Tue, 28 Mar 2023 10:17:52 GMT

It was because "Version" was empty. Fixed that in the script that populated the fields outside of splunk

Re: Regex not matching

gcusello — Tue, 28 Mar 2023 10:35:23 GMT

Hi @Gr0und_Z3r0 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉