Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract server name, HealthState, and HoggingTrheadCount from txt file

wilcoxj
New Member
‎05-03-2018 04:47 AM

I was thinking that I could do a rex to grab everything up to the newline but I am trying to categorize the below output into three fields.
Server, Health, and ThreadCount. I think a rex would do it but I am still new at writing rex/regex. Please assist or direct me to what I should try.

Date = "03-May-2018 07:04:31 -0400"
From = ""
To = ", "
Subject = "Daily Server Health Report"
CC = ""
mailbox = "INBOX"
size = 51929
____________________ Message Body ____________________
coreServer1
HealthState HEALTH_OK
HoggingThreadCount 0
coreServer2
HealthState HEALTH_OK
HoggingThreadCount 0
coreServer3
HealthState HEALTH_WARN,[ThreadPool has stuck threads]
HoggingThreadCount 1
fsServer1
HealthState HEALTH_OK
HoggingThreadCount 0
fsServer2
HealthState HEALTH_OK
HoggingThreadCount 0
fsServer3
HealthState HEALTH_OK
HoggingThreadCount 0
genServer1
HealthState HEALTH_OK
HoggingThreadCount 0
genServer2
HealthState HEALTH_OK
HoggingThreadCount 0
ociServer1
HealthState HEALTH_OK
HoggingThreadCount 0
ociServer2
HealthState HEALTH_OK
HoggingThreadCount 0
ociServer3
HealthState HEALTH_OK
HoggingThreadCount 0
sourceServer1
HealthState HEALTH_OK
HoggingThreadCount 0
sourceServer2
HealthState HEALTH_OK
HoggingThreadCount 0

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PowerPacked
Builder
‎05-03-2018 10:49 AM

Hi @wilcoxj

Please see this Regex & also i think you need to break this event properly into mutiple events.

alt text

Thanks

View solution in original post

Preview file
253 KB
0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-03-2018 10:54 AM

You could break your mail into multiple events, as @PowerPacked suggested. Alternatively, you could do do something like this:

| makeresults
| eval test="Date = '03-May-2018 07:04:31 -0400'
From = ''
To = ', '
Subject = 'Daily Server Health Report'
CC = ''
mailbox = 'INBOX'
size = 51929
Message Body 
coreServer1
HealthState HEALTH_OK
HoggingThreadCount 0
coreServer2
HealthState HEALTH_OK
HoggingThreadCount 0
coreServer3
HealthState HEALTH_WARN,[ThreadPool has stuck threads]
HoggingThreadCount 1
fsServer1
HealthState HEALTH_OK
HoggingThreadCount 0
fsServer2
HealthState HEALTH_OK
HoggingThreadCount 0
fsServer3
HealthState HEALTH_OK
HoggingThreadCount 0
genServer1
HealthState HEALTH_OK
HoggingThreadCount 0
genServer2
HealthState HEALTH_OK
HoggingThreadCount 0
ociServer1
HealthState HEALTH_OK
HoggingThreadCount 0
ociServer2
HealthState HEALTH_OK
HoggingThreadCount 0
ociServer3
HealthState HEALTH_OK
HoggingThreadCount 0
sourceServer1
HealthState HEALTH_OK
HoggingThreadCount 0
sourceServer2
HealthState HEALTH_OK
HoggingThreadCount 0"
| rex max_match=0 field=test "(?<allevents>\S+\nHealthState\s+\S+\nHoggingThreadCount\s+\d+)"
| fields _time allevents
| mvexpand allevents
| rex field=allevents "^(?<Server>.*?)\s+HealthState\s+(?<HealthState>.*?)\s+HoggingThreadCount\s+(?<ThreadCount>.*?)$"
| table _time Server HealthState ThreadCount

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Reply
Solved! Jump to solution

wilcoxj
New Member
‎05-03-2018 12:38 PM

How would I break up an IMAP message into multiple records? Would I have to create a custom props.conf or transforms.conf?

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-03-2018 12:51 PM

Yes, exactly.
You could put this in a custom props.conf:

[yoursourcetype]
LINE_BREAKER = ((?:Body\s*)|(?:HoggingThreadCount \d+))([\r\n]+)

You can see it work here:
https://regex101.com/r/iygoQ2/3

I've inserted empty lines and ##### where the events would get broken.

You must however be aware of the following:
- The part before your first data (the mail headers) would be a single event on it's own, you would have to either live with that or build another props entry to drop it
- This will be done to all your data from the same sourcetype
- You will loose the data from the header, especially the timestamp

Depending on the requirements, you might be better off with one or the other solution.

0 Karma
Reply
Solved! Jump to solution
Solution

PowerPacked
Builder
‎05-03-2018 10:49 AM

Hi @wilcoxj

Please see this Regex & also i think you need to break this event properly into mutiple events.

alt text

Thanks

Preview file
253 KB
0 Karma
Reply
Solved! Jump to solution

wilcoxj
New Member
‎05-03-2018 10:34 AM

I am hoping something like

Server HealthState ThreadCount
coreServer1 Health_OK 0
coreServer2 Health_OK 0

If that is possible.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-03-2018 08:17 AM

Do you want to keep those in a single event?
If you do field extraction, you might get a field "servername", but it would contain multiple values, e.g. (fsServer1, ociServer2, etc).
Can you show us how you would like your result to look like?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...