topic Re: extract fields not working in Splunk Search

extract fields not working

skjelmose — Tue, 13 Aug 2013 12:39:43 GMT

Hi there,

I have an errp log from aix that i want to process and determine on with side of the cluster we had problems.

The log file extracted:

Date/Time:       Mon Aug 12 12:42:53 CEST 2013

Sequence Number: 383812
Machine Id: xxx
Node Id: xxx
Class: H
Type: PERM
WPAR: Global
Resource Name: hdisk1
Resource Class:
Resource Type:
Location:
VPD:
Manufacturer................xxx
Machine Type and Model......xxx
ROS Level and ID............5773
Serial Number...............xxx
Part Number.................xxx
EC Level....................xxx
LIC Node VPD................xxx
Device Specific.(Z0)........xxx
Device Specific.(Z1)........xxx
Device Specific.(Z2)........xxx
Device Specific.(Z3)........xxx
Device Specific.(Z4)........xxx
Device Specific.(Z5)........xxx
Device Specific.(Z6)........xxx

Description
PATH HAS FAILED

Probable Causes
ADAPTER HARDWARE OR CABLE
DASD DEVICE

Failure Causes
UNDETERMINED

    Recommended Actions
    PERFORM PROBLEM DETERMINATION PROCEDURES
    CHECK PATH

Detail Data
PATH ID
1
SENSE DATA
0600 0000 0000 0004 0000 0000 0000 0000 0000 0000 0000 0000 0200 0500 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000

The line I am interested are these 2

EC Level....................105283

EC Level....................105278

But unfortunatly I can see these lines when I choose Extract Fields

Date/Time: Mon Aug 12 12:43:53 CEST 2013
Sequence Number: 383782
Machine Id: xxx
Node Id: xxx
Class: H
Type: PERM
WPAR: Global
Resource Name: hdisk18
Resource Class:
Resource Type:
Location:
VPD:
Manufacturer................xxx
Machine Type and Model......xxx
ROS Level and ID............5773

Point is that I want to make a search for "PATH HAS FAILED" and from my field sort by which side of the mirror that failed (105283 OR 105278) and to some graphs.

Re: extract fields not working

lcrielaa — Tue, 13 Aug 2013 13:04:57 GMT

The following regex will find any digit at the end of "EC Level" and 20 dots.

(?<=EC Level\.{20})\d+

If you search for events containing "PATH HAS FAILED" and then use the above regex to extract the needed field, you could use that to send alerts or build graphs.

Is this what you were looking for?

Re: extract fields not working

skjelmose — Tue, 13 Aug 2013 13:15:49 GMT

Hi there,

Well it seems like thats what im looking for but how am i supposed to write it in the search bar:

index = aix "PATH HAS FAILED" | rex _raw (?<=EC Level.{20})d+ or ????

Thanks for your help so far greatly appreciated.

Re: extract fields not working

skjelmose — Tue, 13 Aug 2013 13:34:56 GMT

Hi there,
Well it seems like thats what im looking for but how am i supposed to write it in the search bar:
index = aix "PATH HAS FAILED" | rex _raw (?<=EC Level.{20})d+ or ????
Thanks for your help so far greatly appreciated.

Re: extract fields not working

skjelmose — Thu, 15 Aug 2013 07:32:42 GMT

Hi again,

Am I supposed to write it in the search bar:
index = aix "PATH HAS FAILED" | rex _raw (?<=EC Level.{20})d+ or ???? 🙂

Re: extract fields not working

lcrielaa — Mon, 28 Sep 2020 14:34:55 GMT

index=aix "PATH HAS FAILED" | rex field=_raw "(?<=EC Level.{20})(?\d+)"

This'll give you a field in the fieldpicker called "EC_Level" that'll match the EC Level number. You may have to tweak it.

If this answer helped you, please accept it.