Archive

Searching string with patterns

New Member

Hi, I would want to search for all results for this specific string pattern

'record has not been created for id XXXXXXXXXX,XXXXXXXXXX in DB'

Note that:
XXXXXXXXXX is a variable value, always of 10 character.
Sample text: 'record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB'
Any help would be highly appreciated. Thanks

0 Karma
1 Solution

Motivator

Hello @akki2428,

Check out the regex command:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| regex _raw="record has not been created for id \w{10},\w{10} in DB"

Somewhat more flexible, you could also extract the ID as new fields and filter on these fields:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| rex field=_raw "record has not been created for id (?<id1>\w+),(?<id2>\w+) in DB"
| eval len_id1=len(id1) | eval len_id2=len(id2)
| search len_id1=10 len_id2=10

View solution in original post

0 Karma

Motivator

Hello @akki2428,

Check out the regex command:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| regex _raw="record has not been created for id \w{10},\w{10} in DB"

Somewhat more flexible, you could also extract the ID as new fields and filter on these fields:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| rex field=_raw "record has not been created for id (?<id1>\w+),(?<id2>\w+) in DB"
| eval len_id1=len(id1) | eval len_id2=len(id2)
| search len_id1=10 len_id2=10

View solution in original post

0 Karma

New Member

Thanks @whrg , I tried using this command. It returns record just for id x1IoGPTIBP. All other records are missed.

0 Karma

Motivator

@akki2428 The search query above using makeresults creates only one record for testing purposes. Your search should be something like this:

index=yourindex sourcetype=...
| regex _raw="record has not been created for id \w{10},\w{10} in DB"

If that does not work, perhaps you could post some other records.

0 Karma

New Member

Sorry for being a splunk noob @whrg . This works as expected. Thanks

0 Karma

New Member

Hi @whrg . If instead of length, I want to compare if both IDs are equal, then just |search id1=id2 should work? I tried but it is not returning any result

0 Karma

Motivator

The search command's syntax is FIELD=VALUE. So |search id1=id2 will filter for the field id1 containing the string "id2".

You want to use where instead of seach. where evaluates boolean expressions. Try: |where id1==id2

This should also work:

| regex _raw="record has not been created for id (\w{10}),\1 in DB"
0 Karma

New Member

Hi @whrg , My search string is now - "record failed (state error) for ID x1IoGPTIBP". It doesn't extract the id I guess because of (state error) included in search string. How can we escape this.

| makeresults | eval _raw="record  failed (state error) for  ID x1IoGPTIBP"
 | rex field=_raw "record  failed (state error) for  ID (?<id1>\w+)"
 | table id1
0 Karma

Motivator

Hello @akki2428, use back slashes to escape special characters:

| makeresults | eval _raw="record  failed (state error) for  ID x1IoGPTIBP"
| rex field=_raw "record  failed \(state error\) for  ID (?<id1>\w+)"
| table id1
0 Karma

Builder

The proposed search uses "makeresults" to be the data generator. You will need to provide the data generator part of the command to replace the "makeresults portion of the suggested search. If you create a search to pipe to the regex it should match more than the two you provided.

0 Karma