Re: Trying to rex for an event thread

pranay04 · ‎03-29-2019

This is the Error Message in the log :

info [native] Creating Memory Dump upon ResourceExhausted Notification: unable to create new native thread

I am trying to rex for "info [native] Creating Memory Dump upon ResourceExhausted Notification" using syntax
rex "Creating Memory Dump upon '(?\w+)' Notification" and display in a dashboard but it does not work.

Anything wrong with it?

woodcock · ‎03-31-2019

Like this:

| makeresults 
| eval _raw="info [native] Creating Memory Dump upon ResourceExhausted Notification: unable to create new native thread"
| rex "^(?<msg>[^:]+)"

anthonymelita · ‎03-29-2019

You have several things wrong. Note: I'm also a RegEx novice.
Replace spaces with \s
You didn't name an extracted field <>
If the extracted word will always be between "upon" and "Notification" you can shorten the rest.

| makeresults
| eval sentence="info [native] Creating Memory Dump upon ResourceExhausted Notification: unable to create new native thread"
| rex field=sentence "(upon\s)(?<extracted_thing>\w+)(\sNotification)"

Trying to rex for an event thread?

configuration

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Trying to rex for an event thread?

configuration

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey