Alerting

field extraction

sphiwee
Contributor

I have the following log


!!! --- HUB ctxsdc1cvdi013.za.sbicdirectory.com:443 is unavailable --- !!! user='molefe_user' password='molefe' quota='user' host='002329bvpc123cw.branches.sbicdirectory.com' port='443' count='1' !!! --- HUB 002329bvpc123cw.branches.sbicdirectory.com:443 is unavailable --- !!! host='005558bvpc5ce4w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 005558bvpc5ce4w.za.sbicdirectory.com:443 is unavailable --- !!! host='41360jnbpbb758w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 41360jnbpbb758w.za.sbicdirectory.com:443 is unavailable --- !!! host='48149jnbpbb041w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 48149jnbpbb041w.za.sbicdirectory.com:443 is unavailable --- !!! user='pips_lvl_one_user' password='pips_lvl_one' quota='user'

 

I have above log and I'm struggling to extract the colored items
ctxsdc1cvdi013.za.sbicdirectory.com = as workstation ID
is unavailable = as  status
molefe = as quota

Labels (1)
Tags (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Run this search and check the rex statement

| makeresults
| eval _raw="!!! --- HUB ctxsdc1cvdi013.za.sbicdirectory.com:443 is unavailable --- !!! user='molefe_user' password='molefe' quota='user' host='002329bvpc123cw.branches.sbicdirectory.com' port='443' count='1' !!! --- HUB 002329bvpc123cw.branches.sbicdirectory.com:443 is unavailable --- !!! host='005558bvpc5ce4w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 005558bvpc5ce4w.za.sbicdirectory.com:443 is unavailable --- !!! host='41360jnbpbb758w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 41360jnbpbb758w.za.sbicdirectory.com:443 is unavailable --- !!! host='48149jnbpbb041w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 48149jnbpbb041w.za.sbicdirectory.com:443 is unavailable --- !!! user='pips_lvl_one_user' password='pips_lvl_one' quota='user'"
| rex "!!! --- HUB (?<workstationId>[^:]*):\d+\s(?<status>[^-]*).*?password='(?<quota>[^']*)"

However, did you want the password molefe to be the quota?

Also, this was posted as a single line log message and you only wanted those 3 fields - was that correct - the rex statement will get those.

However, it assumes the :port number will always be present. regex would need to change if that's not the case.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Run this search and check the rex statement

| makeresults
| eval _raw="!!! --- HUB ctxsdc1cvdi013.za.sbicdirectory.com:443 is unavailable --- !!! user='molefe_user' password='molefe' quota='user' host='002329bvpc123cw.branches.sbicdirectory.com' port='443' count='1' !!! --- HUB 002329bvpc123cw.branches.sbicdirectory.com:443 is unavailable --- !!! host='005558bvpc5ce4w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 005558bvpc5ce4w.za.sbicdirectory.com:443 is unavailable --- !!! host='41360jnbpbb758w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 41360jnbpbb758w.za.sbicdirectory.com:443 is unavailable --- !!! host='48149jnbpbb041w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 48149jnbpbb041w.za.sbicdirectory.com:443 is unavailable --- !!! user='pips_lvl_one_user' password='pips_lvl_one' quota='user'"
| rex "!!! --- HUB (?<workstationId>[^:]*):\d+\s(?<status>[^-]*).*?password='(?<quota>[^']*)"

However, did you want the password molefe to be the quota?

Also, this was posted as a single line log message and you only wanted those 3 fields - was that correct - the rex statement will get those.

However, it assumes the :port number will always be present. regex would need to change if that's not the case.

 

sphiwee
Contributor

Can I also get the results of your search

0 Karma

sphiwee
Contributor

Hi the port will always be the same, however when I run this regex command in my search it doesnt extract anything

sphiwee_0-1631690245103.png

 

 

Quota I think it was extracted automatically and its wrong hence I wanted the regex way

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Can you provide your search and an exact replica of your data. If that rex statement does not work in your environment, then the data you provided in your original post is not the same as the data in your search.

 

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...