Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need help with Regex

AK_Splunk
Explorer
‎01-04-2023 09:34 PM

Need help with Regex

field ------------------------feildvalue

servername ---------- xtestf100s

log_level--------------INFO OR error or warning

message ------------ anything from gofer till end


Jan 3 03:50:38 xtestf100s goferd: [INFO][worker-0] gofer.messaging.adapter.connect:28 - connecting: proton+amqps://xtest123s.pharma.aventis.com:5647
Jan 3 03:50:38 xtestf100s goferd: [INFO][worker-0] gofer.messaging.adapter.proton.connection:87 - open: URL: amqps://xtest123s.pharma.aventis.com:5647|SSL: ca: /etc/rhsm/ca/katello-default-ca.pem|key: None|certificate: /etc/pki/consumer/bundle.pem|host-validation: None
Jan 3 03:50:38 xtestf100s goferd: [ERROR][worker-0] gofer.messaging.adapter.connect:33 - connect: proton+amqps://xtest123s.pharma.aventis.com:5647, failed: Connection amqps://xtest123s.pharma.aventis.com:5647 disconnected: Condition('proton.pythonio', 'Connection refused to all addresses')
Jan 3 03:50:38 xtestf100s goferd: [INFO][worker-0] gofer.messaging.adapter.connect:35 - retry in 106 seconds
Jan 3 03:50:54 xtestf100s kernel: type=1400 audit(1672714254.276:566412): avc: denied { read } for pid=75981 comm="ip" name="libCvDllFilter.so" dev="dm-13" ino=393745 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Jan 3 03:50:54 xtestf100s kernel: type=1400 audit(1672714254.276:566413): avc: denied { open } for pid=75981 comm="ip" path="/opt/commvault/Base64/libCvDllFilter.so" dev="dm-13" ino=393745 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Jan 3 03:50:54 xtestf100s kernel: type=1400 audit(1672714254.276:566414): avc: denied { getattr } for pid=75981 comm="ip" path="/opt/commvault/Base64/libCvDllFilter.so" dev="dm-13" ino=393745 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Jan 3 03:50:54 xtestf100s kernel: type=1400 audit(1672714254.276:566415): avc: denied { execute } for pid=75981 comm="ip" path="/opt/commvault/Base64/libCvDllFilter.so" dev="dm-13" ino=393745 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Jan 3 03:51:43 xtestf100s kernel: type=1400 audit(1672714303.392:566416): avc: denied { read } for pid=77988 comm="ip" name="Base" dev="dm-13" ino=116 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Jan 3 03:51:43 xtestf100s kernel: type=1400 audit(1672714303.392:566417): avc: denied { read } for pid=77988 comm="ip" name="libCvDllFilter.so" dev="dm-13" ino=393745 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

Labels (2)
Labels
0 Karma
Reply

AK_Splunk
Explorer
‎01-06-2023 01:30 AM

Hi ,

Thanks for your response but can you guide how to send sample data by using preformatted style or code block .

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-06-2023 02:46 AM

Hi @AK_Splunk,

to send code or sample data use the "Insert/Edit code sample" ("</>") button.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2023 12:23 AM

Hi @AK_Splunk,

in your regex there are two different logs, if you want to take as message from "gofer" to the end of row you can use the following regex:

<your_search>
|c rex "^(?<timestamp>\w+ \d+ \d+:\d+:\d*)\s+(?<servername>\w+)[^\[]+\[(?<log_level>[^\]]+)\][^\]]+\]\s+(?<message>.*)"

that you can test at https://regex101.com/r/tQJVAm/1 

about the second part of logs, what do you want to extract?

Ciao.

Giuseppe

Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-05-2023 12:15 AM

Again - use preformatted style or code block to include blocks of text which should not be "massacred" by the browser. (like event samples).

The hostname extraction should work pretty well with standard transform "syslog-host". And it should be done in index-time since you probably want to have this as host field. Otherwise, if you really only need it as search-time extraction,  just copy the regex from the syslog-host transform.

For log level... the most obvious one that comes to mind is

\[(?<log_level>INFO|ERROR|WARNING)\]

But this might not be the best idea depending on how you want it anchored within the event.

For message - with your definition - it would be

(?<message>goferd.*)

But that's probably _not_ what you want. And while Splunk can sometimes optimize some things relatively well, you might want to rewrite multiple separate extractions into a single regex with multiple capturing groups.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...