Re: RegEx Help

jerinvarghese · ‎04-22-2020

Need help in RegEx output.

Below is my _raw input

"<MTIER><TID: 0000000181> <CATEGORY:com.remedy.log.WEBSERVICES    > /* Wed Apr 22 2020 14:49:21.277  */  <LEVEL: FINE       > <Class: com.remedy.arsys.ws.services.ARService><Method: performOperation><TENANT: null                                         > <USER: na\xsmoogitsm                                 >  input document: <?xml version=""1.0"" encoding=""UTF-8""?>
<ROOT><Incident_Number>INC000013542725</Incident_Number><Work_Log_Type>General Information</Work_Log_Type><Locked>No</Locked><View_Access>Public</View_Access><Summary>AlertID: 171945364 : Open : USWNK-WANRTC001 : Node is down.
Class:Custom Trap
Host: uswnk-wanrtc001.</Summary><Notes>AlertID: 171945364 : Open : USWNK-WANRTC001 : Node is down.
Class:Custom Trap
Host: uswnk-wanrtc001.sa.xom.com
External ID: 34217579
Tier: 3
Impact: 2-Significant/Large
Urgency: 2-High</Notes><z2AF_Attachment1_attachmentOrigSize>0</z2AF_Attachment1_attachmentOrigSize><z2AF_Attachment2_attachmentOrigSize>0</z2AF_Attachment2_attachmentOrigSize><z2AF_Attachment3_attachmentOrigSize>0</z2AF_Attachment3_attachmentOrigSize></ROOT>"

I want below content to be filtered.

Class:Custom Trap
Open : USWNK-WANRTC001 : Node is down.
Host: uswnk-wanrtc001.sa.xom.com
Impact: 2-Significant/Large
Urgency: 2-High
INC000013542725
AlertID: 171945364

Wed Apr 22 2020 14:49:21.277

expected table output.
In tabular

There are spaces and punctuations were am facing challenges.
Please help me with this.

Few of the field I tried to capture.

| rex field=_raw "Incident_Number\W(?<ITSM_Number>.*)\W\WIncident_Number\W.*" 
| rex field=_raw "(Host:\s)(?<Hostname>[^\.<]+\.)" 
| rex field=_raw "(Urgency:\s)(?<Urgency>\S-\D*[{lmwh}$])"
| rex field=_raw "(AlertID:\s)(?<AlertID>[^\D*]+)"
| rex field=_raw "(Open\s:\s)(?<Description>[^\.*]+)"

jawahir007 · ‎04-22-2020

Try this: -

|rex "Class:(?<Class>[^:\n]*)\s*Host:.*\s*External\s*ID"|rex "Open\s*:\s*(?<Open>.*)\n"|rex "Host:(?<Host>.*)\s*External\s*ID"|rex "Impact:\s*\d*\-?(?<Impact>.*)\n"|rex "Urgency:\s*\d*\-?(?<Urgency>.*)<\/Notes"|rex "Incident_Number>\s*(?<Incident_Number>.*)<\/Incident_Number"|rex "Summary>AlertID:\s*(?<AlertID>\d*)"|rex "USER:\s*(?<USER>[^\s>]*)"|table Class,Open,Host,Impact,Urgency,Incident_Number,AlertID,USER

manjunathmeti · ‎04-22-2020

hi @jerinvarghese,

Try this:

| rex "(?<root>\<ROOT\>[\w\W\s]+\<\/ROOT\>)" 
| spath input=root 
| rex field=ROOT.Notes "AlertID[:\s]*(?<AlertID>\d+)[:\s]*(?<Description>[\w\W\s]+)\s*Class[:\s]*(?<Class>[\w\s]+)\s*Host[:\s]*(?<Host>[\w\W\.]+)\s*External\sID[:\s]*(?<External_ID>\d+)\s*Tier[:\s]*(?<Tier>\d+)\s*Impact[:\s]*(?<Impact>[\w\W]+)\s*Urgency[:\s]*(?<Urgency>[\w\-]+)" 
| rex "\/\*\s(?<dateTime>[\w\s:\.]+)\s\*\/" 
| rex "\<USER:\s(?<USER>[^\>]+)\>" 
| table AlertID, Description, Class,Host, External_ID, Tier, Impact, Urgency, dateTime, USER

Without spath:

| rex  "AlertID[:\s]*(?<AlertID>\d+)[:\s]*(?<Description>[\w\s:\-\.]+)\s*Class[:\s]*(?<Class>[\w\s]+)\s*Host[:\s]*(?<Host>[\w\-\.]+)\s*External\sID[:\s]*(?<External_ID>\d+)\s*Tier[:\s]*(?<Tier>\d+)\s*Impact[:\s]*(?<Impact>[\w\W]+)\s*Urgency[:\s]*(?<Urgency>[\w\-]+)" 
| rex "\/\*\s(?<dateTime>[\w\s:\.]+)\s\*\/" 
| rex "\<USER:\s(?<USER>[^\>]+)\>" 
| table AlertID, Description, Class,Host, External_ID, Tier, Impact, Urgency, dateTime, USER

Sample query:

| makeresults 
| eval _raw= "<MTIER><TID: 0000000181> <CATEGORY:com.remedy.log.WEBSERVICES> /* Wed Apr 22 2020 14:49:21.277  */  <LEVEL: FINE       > <Class: com.remedy.arsys.ws.services.ARService><Method: performOperation><TENANT: null> <USER: na\xsmoogitsm>  input document: <?xml version=\"1.0\" encoding=\"UTF-8\"?>
 <ROOT><Incident_Number>INC000013542725</Incident_Number><Work_Log_Type>General Information</Work_Log_Type><Locked>No</Locked><View_Access>Public</View_Access><Summary>AlertID: 171945364 : Open : USWNK-WANRTC001 : Node is down.
 Class:Custom Trap
 Host: uswnk-wanrtc001.</Summary><Notes>AlertID: 171945364 : Open : USWNK-WANRTC001 : Node is down.
 Class:Custom Trap
 Host: uswnk-wanrtc001.sa.xom.com
 External ID: 34217579
 Tier: 3
 Impact: 2-Significant/Large
 Urgency: 2-High</Notes><z2AF_Attachment1_attachmentOrigSize>0</z2AF_Attachment1_attachmentOrigSize><z2AF_Attachment2_attachmentOrigSize>0</z2AF_Attachment2_attachmentOrigSize><z2AF_Attachment3_attachmentOrigSize>0</z2AF_Attachment3_attachmentOrigSize></ROOT>" 
| rex "(?<root>\<ROOT\>[\w\W\s]+\<\/ROOT\>)" 
| spath input=root 
| rex field=ROOT.Notes "AlertID[:\s]*(?<AlertID>\d+)[:\s]*(?<Description>[\w\W\s]+)\s*Class[:\s]*(?<Class>[\w\s]+)\s*Host[:\s]*(?<Host>[\w\W\.]+)\s*External\sID[:\s]*(?<External_ID>\d+)\s*Tier[:\s]*(?<Tier>\d+)\s*Impact[:\s]*(?<Impact>[\w\W]+)\s*Urgency[:\s]*(?<Urgency>[\w\-]+)" 
| rex "\/\*\s(?<dateTime>[\w\s:\.]+)\s\*\/" 
| rex "\<USER:\s(?<USER>[^\>]+)\>" 
| table AlertID, Description, Class,Host, External_ID, Tier, Impact, Urgency, dateTime, USER

jerinvarghese · ‎04-23-2020

Please help in adding Incident_Number also to the search

manjunathmeti · ‎04-23-2020

Try this:

| rex  "AlertID[:\s]*(?<AlertID>\d+)[:\s]*(?<Description>[\w\s:\-\.]+)\s*Class[:\s]*(?<Class>[\w\s]+)\s*Host[:\s]*(?<Host>[\w\-\.]+)\s*External\sID[:\s]*(?<External_ID>\d+)\s*Tier[:\s]*(?<Tier>\d+)\s*Impact[:\s]*(?<Impact>[\w\W]+)\s*Urgency[:\s]*(?<Urgency>[\w\-]+)" 
 | rex "\/\*\s(?<dateTime>[\w\s:\.]+)\s\*\/" 
 | rex "\<USER:\s(?<USER>[^\>]+)\>" 
 | rex "\<Incident_Number\>(?<Incident_Number>[^\>]+)\<\/Incident_Number\>"
 | table AlertID, Description, Class,Host, External_ID, Tier, Impact, Urgency, dateTime, USER, Incident_Number

RegEx Help

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!