Re: Trying to rex for an event thread

pranay04 · ‎03-29-2019

This is the Error Message in the log :

info [native] Creating Memory Dump upon ResourceExhausted Notification: unable to create new native thread

I am trying to rex for "info [native] Creating Memory Dump upon ResourceExhausted Notification" using syntax
rex "Creating Memory Dump upon '(?\w+)' Notification" and display in a dashboard but it does not work.

Anything wrong with it?

woodcock · ‎03-31-2019

Like this:

| makeresults 
| eval _raw="info [native] Creating Memory Dump upon ResourceExhausted Notification: unable to create new native thread"
| rex "^(?<msg>[^:]+)"

anthonymelita · ‎03-29-2019

You have several things wrong. Note: I'm also a RegEx novice.
Replace spaces with \s
You didn't name an extracted field <>
If the extracted word will always be between "upon" and "Notification" you can shorten the rest.

| makeresults
| eval sentence="info [native] Creating Memory Dump upon ResourceExhausted Notification: unable to create new native thread"
| rex field=sentence "(upon\s)(?<extracted_thing>\w+)(\sNotification)"

Trying to rex for an event thread?

configuration

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Trying to rex for an event thread?

configuration

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console