Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

regex to parse event log to metric index

vikashperiwal
Path Finder
‎06-17-2020 03:58 AM

Hi ,

 

I am trying to parse the event log in to metric index by using props and transform conf file, but getting issue with my regex format.

 

issue : i am not able to extract fields at index time.

Splunk Version : 7.1.x

transform:

[field_extraction]
REGEX = .*[write]\_log\svalues\:(?<host>\w*.\.\w*\.\w*)\.(?<metric_name>[\w\.\-]*)\s*(?<_value>\d{1,4})\s*(?<id>\d*)
FORMAT = host::$1 $2::$3 id::$4
WRITE_META = true

[metric-schema:extract_metrics]
METRIC-SCHEMA-MEASURES = _ALLNUMS_
METRIC-SCHEMA-WHITELIST-DIMS = host

 

 

Log:

[2020-05-15 22:40:45] [info] write_log values:hostname.abcd.com.cpu-45.percent-nice 20 1648489

 

i want to filter logs out of millions of log with value write_log...where ever i find write_log that should be indexed.

 

my metrics : 

Metric name - cpu-x.percent-nice
Metric value - 30
ID - 1648789
 
Any help is appreciated.
 
Thx
Labels (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-17-2020 06:53 AM

I wonder if using unnamed capture groups might help.  Try this

REGEX = write_log\svalues:(\w*.\.\w*\.\w*)\.([\w\.\-]*)\s*(\d{1,4})\s*(\d*)
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!