Getting inconsistent extraction

srinivas_gowda · ‎11-10-2021

Hello all,

I am trying to extract the below highlighted fields, but the extractions at time is failing to get the required values, can you please help me get this working.

1) 537654 High 2021.11.10 10:53:50 RDS_Failure_notification01 prd-Server2 127.0.0.1 sns.event EventSource : db-instance IdentifierLink : https://console.aws.amazon.com SourceId : prd-Server2 EventId : http://docs.aws.amazon.com EventMessage : DB instance restarted TopicArn : arn:aws:sns:ap-northeast-1:123456789:Lambda-PRD-Server1-SSS

2) 536465 High 2021.11.09 23:07:33 Server just booted [prd-Server1] prd-Server1 127.0.0.1 Server Status ~~00:04:44~~

3) 536438 High 2021.11.09 23:01:02 App Proxy: Utilization of unreachable poller processes over 80% prd-Server3 127.0.0.1 Utilization of unreachable poller data collector processes, in % ~~100 %~~

4) 448232 Average 2021.11.09 09:56:02 App Proxy: Utilization of unreachable poller processes over 70% prd-Server4 127.0.0.1 Utilization of unreachable poller data collector processes, in % ~~100 %~~

BOLD - Field1

Underlined -Field2

~~Strikethrough - Field3~~

@ITWhisperer @javiergn @richgalloway Please have a look at this.

Thank you

srinivas_gowda · ‎11-11-2021

Hello, thanks for the response. But, this is not working for the highlighted fields.

ITWhisperer · ‎11-11-2021

In what way is it not working? Which fields are you not getting? Which events is it not working for? The more information you can give about your issue, the more likely we will be able to come up with a helpful answer!

ITWhisperer · ‎11-11-2021

| rex "\d+\s\w+\s(?<time>\d{4}\.\d{2}\.\d{2}\s\d{2}:\d{2}:\d{2})\s(?<field1>.+)\s(?<server>\S+)\s(?<ip>\d+\.\d+\.\d+\.\d+)"

Getting inconsistent extraction

field extraction

fields

regex

rex

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...