topic Re: Using REX where unique data is behind the required string in Splunk Search

Using REX where unique data is behind the required string

PhilAndreotti — Thu, 21 Aug 2014 14:51:40 GMT

I am quite new to Splunk and REX.

I am using the SNMP modular input app to poll one of my servers for multiple things. One value I poll for is the RAM used for each process. This is doing a full walk on the MIB I have provided and returns a long event which includes all the running processes. Below is an extract of the event (there are no lone breaks):

SNMPv2-SMI::mib-2."25.4.2.1.2.1064" = "ext4-dio-unwrit" SNMPv2-SMI::mib-2."25.4.2.1.2.1065" = "kworker/9:2" SNMPv2-SMI::mib-2."25.4.2.1.2.1070" = "VpnMonitor" SNMPv2-SMI::mib-2."25.4.2.1.2.1081" = "kworker/10:2" SNMPv2-SMI::mib-2."25.4.2.1.2.1113" = "sshd" SNMPv2-SMI::mib-2."25.4.2.1.2.1115" = "rsyslogd"

Each process has a unique PID, but this will change with every reboot. I need to use the above to extract the PID of a specific number of processes, then use that value to run another query to get its memory utilisation. I haven't yet figured out how I will do that either but one step at a time...

Using the above example, I am trying to extract the PID for rsyslogd. The PID is the final 4 digits in the long number beforehand, however that number is always preceeded with the same set of numbers of 25.4.2.1.2.

I have run a selection of REX options but because 25.4.2.1.2. is repeated so many times in the event, the return is greedy and either grabs the 1st or last depending on my expression. I can't get the REX to take in to account that I need the 4 digits after 25.4.2.1.2. but only its followed by " = "rsyslogd"

An example of my expression is:

search | rex "25.4.2.1.2.(?P<PID>\d{4})(\"\s=\s\"rsyslogd)" | table PID

I have tried many variations along the lines of the above but it will always ignore the following text.

Can anyone offer any suggestions for how I can get it to find my unique value?

Thanks in advance

Re: Using REX where unique data is behind the required string

richgalloway — Thu, 21 Aug 2014 15:16:40 GMT

Your rex expression worked fine for me on regexr.com using your sample data. Have you tried escaping the dots or using ?<PID> instead of ?P<PID>?

Re: Using REX where unique data is behind the required string

aweitzman — Thu, 21 Aug 2014 15:19:34 GMT

Your rex works perfectly for me. Are you certain that this string is in your raw data?

| gentimes start=-1 | eval _raw="SNMPv2-SMI::mib-2.\"25.4.2.1.2.1064\" = \"ext4-dio-unwrit\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1065\" = \"kworker/9:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1070\" = \"VpnMonitor\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1081\" = \"kworker/10:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1113\" = \"sshd\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1115\" = \"rsyslogd\"" | rex "25.4.2.1.2.(?P<PID>\d{4})(\"\s=\s\"rsyslogd)" | table PID

Re: Using REX where unique data is behind the required string

PhilAndreotti — Thu, 21 Aug 2014 15:30:26 GMT

Thank you both for the replies.

richgalloway - I have escaped the dots and tried without the P - no difference.

aweitzman - perhaps you are getting the correct result because the example I gave is a subset. If you ran the same while searching for the process"sshd" - i.e. NOT the last process in the list I don't think it would work. I have an extract of probably 100+ processes running on my Linux server.

Re: Using REX where unique data is behind the required string

aweitzman — Thu, 21 Aug 2014 15:37:38 GMT

I tried that, it works fine, too.

| gentimes start=-1 | eval _raw="SNMPv2-SMI::mib-2.\"25.4.2.1.2.1064\" = \"ext4-dio-unwrit\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1065\" = \"kworker/9:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1070\" = \"VpnMonitor\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1081\" = \"kworker/10:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1113\" = \"sshd\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1115\" = \"rsyslogd\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1116\" = \"sshd\"" | rex "25.4.2.1.2.(?<PID>\d{4})(\"\s=\s\"rsyslogd)" | table PID

Do you get 1116 when you cut/paste the above query? I correctly get 1115.

Re: Using REX where unique data is behind the required string

aweitzman — Thu, 21 Aug 2014 15:47:09 GMT

As an aside, @richgalloway is correct, you don't need the preceding P, since it's basically ignored. You also don't need the additional parentheses around the part following the PID matching group.

Re: Using REX where unique data is behind the required string

PhilAndreotti — Fri, 22 Aug 2014 07:17:39 GMT

Slightly embarrassing but user error - it is working! Thank you both for your answers.

I was looking for a specific PID relating to a specific process. While I was working on this, the server was rebooted (not by me) and as such, the PID I was looking for changed so I was looking for the wrong answer.

I was definitely getting the wrong answer for several hours - it was probably only the last 20mins before I submitted the question on the forum that I was actually getting the right answer. On a brighter note, I learned a lot through the process!

Thanks again for your help - it did help as it made me double check everything.