Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Problem with Splunk for Nagios
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I join 2 &3 generated pattern regex to replace the nagios-host Down notifications-Last
60 minutes in number 1 to display all hosts and why is number 1 above expression not working in
the splunk for nagios default state.
This is the parameter for nagios-host Down notifications-Last 60 minutes
- index=nagios nagiosevent="HOST NOTIFICATION" hostnotificationstatus="DOWN" | dedup hostnotificationstatus hostnotification | top hostnotificationstatus by hostnotification limit="10" | fields + hostnotification hostnotificationstatus count
However this does not work I have tries to troubleshot this by checking each of the regx parameters
The nagios EXTRACT-hostnotificationstatus regular expression I copied and generate patters as follows
- index=nagios sourcetype="nagiosevent" | head 10000 | rex ".+HOST NOTIFICATION\:[^;]+;[^;]+;(?P
[^;]*)(?=;)" | top 50 hostnotificationstatus
and
For the nagios EXTRACT-hostnotification regex is as follows
- index=nagios sourcetype="nagiosevent" | head 10000 | rex ".+\w NOTIFICATION\:[^;]+;(?P
[^;]*)(?=;)" | top 50 hostnotification
Note:
Sourcetype= nagiosevent
index= nagios
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just in the case that anyone is out there in my predicament, This is what I have done that seems to make it work. Although I am not sure if I am correct, please not I am very new to splunk, splunk for nagios and limited knowledge with regex please do not slam me.
I have got this expression which I have just tested against my dater that works but I do not want it to be limited any input will highly appreciated.
index=nagios sourcetype="nagiosevent" | head 10000 | rex ".+HOST NOTIFICATION:[^;]+;[^;]+;(?P
So I went to modify the saved saved search by going to manager / searched & report and copy my generated pattern reges and paste.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just in the case that anyone is out there in my predicament, This is what I have done that seems to make it work. Although I am not sure if I am correct, please not I am very new to splunk, splunk for nagios and limited knowledge with regex please do not slam me.
I have got this expression which I have just tested against my dater that works but I do not want it to be limited any input will highly appreciated.
index=nagios sourcetype="nagiosevent" | head 10000 | rex ".+HOST NOTIFICATION:[^;]+;[^;]+;(?P
So I went to modify the saved saved search by going to manager / searched & report and copy my generated pattern reges and paste.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
