topic Searching the log pattern in Splunk Search

Searching the log pattern

keshab — Mon, 07 Nov 2011 20:11:12 GMT

2011-11-07 13:25:35,145 FE (Exe 45) (pid 11788) destroyed

2011-11-07 13:25:35,152 PNG.exe (Exe 64) (pid 17286) destroyed

2011-11-07 13:25:35,158 K (Exe 44) (pid 11706) destroyed

2011-11-07 13:25:35,160 Kernel 44 released

2011-11-07 13:25:39,976 FE (Exe 66) initialized

2011-11-07 13:25:41,386 K (Exe 65) initialized

2011-11-07 13:39:14,750 Kernel 47 acquired

2011-11-07 13:39:16,139 PNG.exe (Exe 67) initialized

2011-11-07 13:49:27,829 FE (Exe 48) (pid 12912) destroyed

2011-11-07 13:49:27,838 PNG.exe (Exe 67) (pid 17786) destroyed

2011-11-07 13:49:27,868 K (Exe 47) (pid 12830) destroyed

2011-11-07 13:49:27,869 Kernel 47 released

2011-11-07 13:49:27,982 FE (Exe 69) initialized

2011-11-07 13:49:29,524 K (Exe 68) initialized

2011-11-07 13:58:19,630 Kernel 49 acquired

2011-11-07 13:58:20,147 PNG.exe (Exe 70) initialized

In the above log I only to search for log lines that has K and ends with initialized or destroyed. So my search result should be

2011-11-07 13:25:35,158 K (Exe 44) (pid 11706) destroyed

2011-11-07 13:25:41,386 K (Exe 65) initialized

2011-11-07 13:49:27,868 K (Exe 47) (pid 12830) destroyed

2011-11-07 13:49:29,524 K (Exe 68) initialized

What might be the possible search query??

Re: Searching the log pattern

tgow — Mon, 07 Nov 2011 21:16:04 GMT

Maybe this would work but I am not sure what your field extraction is looking like:

sourcetype=<yoursourcetype> | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")

Re: Searching the log pattern

keshab — Tue, 08 Nov 2011 17:15:32 GMT

It didn't work..didn't return anything at all

Re: Searching the log pattern

tgow — Tue, 08 Nov 2011 17:20:14 GMT

Did you replace the sourcetype= with your unique sourcetype of your data? For example,

sourcetype=system | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")

You can also replace the sourcetype with either the source or host for instance, ie:

source=kernel.log | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")

host=mysystem123 | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")

Re: Searching the log pattern

keshab — Tue, 08 Nov 2011 21:09:34 GMT

Problem is with this rex field=_raw "<kernel>\s+(?[^$]+)$" It's not matching my any of log pattern

Re: Searching the log pattern

tgow — Tue, 08 Nov 2011 21:13:51 GMT

I noticed that you missed a "\" in your last comment in front of the first "s+". I tested the regex with your data and it worked. Make sure that your search is similar to the following:

sourcetype=system | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")