Archive
Highlighted

Wildcards in the middle and end of a string

Explorer

search index=DBG_SYS sourcetype=DBG_SYS msg="Shelf 1 congestion, resource cps level 2." OR msg="Shelf 1 slot * congestion, resource cpu level *"

I have a search that works, but I am getting warnings about having Wildcards in the middle of a string.
Not sure how to avoid this since Slot numbers can be 0-99 and the level can be 0-99 also.
Is it possible to look for
Shelf 1 slot (any integer) congestion, resource cpu level (any integer)

Tags (1)
0 Karma
Highlighted

Re: Wildcards in the middle and end of a string

Champion

Hi @jamesfdally

Try like

|regex msg="Shelf 1 slot\s(\d{1,2})\scongestion, resource cpu level\s(\d{1,2})" 
0 Karma
Highlighted

Re: Wildcards in the middle and end of a string

Explorer

I do not understand where I should put this. Should I keep my original search and add this? Then I will still get the same warning on my scheduled search every day. I have an OR statement in my search also so I need more information please.

0 Karma
Highlighted

Re: Wildcards in the middle and end of a string

Explorer
index=DBG_SYS
sourcetype=DBG_SYS 
msg="Shelf 1 congestion, resource cps level 2." 
OR msg="Shelf 1 slot * congestion, resource cpu level *" 
    | rex field=msg "cpu level+\s(?<level>\d+)" 
    | rex field=msg "cps level+\s(?<level>\d+)" 
    | where level>0 
    | eval local_date_hour=strftime(_time,"%H") 
    | stats by local_date_hour host msg 
    | table local_date_hour host msg count(code) 
    | rename count(code) as hits ] 
| rename local_date_hour as Hour 
| sort by Hour
0 Karma
Highlighted

Re: Wildcards in the middle and end of a string

Champion

try

 index=DBG_SYS sourcetype=DBG_SYS msg="Shelf 1 congestion, resource cps level 2." 
      | append 
          [| search index=DBG_SYS sourcetype=DBG_SYS 
          | regex msg="Shelf 1 slot\s(\d{1,2})\scongestion, resource cpu level\s(\d{1,2})" ] 
          | rex field=msg "cpu level+\s(?<level>\d+)" 
          | rex field=msg "cps level+\s(?<level>\d+)" 
          | where level>0 
          | eval local_date_hour=strftime(_time,"%H") 
          | stats by local_date_hour host msg 
          | table local_date_hour host msg count(code) 
          | rename count(code) as hits 
      | rename local_date_hour as Hour 
      | sort by Hour
0 Karma