Splunk Search

Help with regular expression

nanachu
Path Finder

Hi, all

I would like to create a mechanism that generates an alert when a regular expression extracted matches.

However, I cannot come up with a search statement that says when the extracted regular expression matches a certain character.

Here is my regular expression.

index=main sourcetype=text
|rex field = title(?<description>(\[).*(\]))

Field of title has values [SUCCESS],[FAILED],[SKIPPED]etc...

I thought that this search statement would return results that matched SUCCESS.

index=main sourcetype=text
|rex field = title(?<description>(\[).*(\]))
description = "SUCCESS"

But, it does not work.

Could you please help me?

0 Karma
1 Solution

Adrian_ftx
Path Finder

Hi nanachu,

If you want to create an alert then you can do something like:

 index=main sourcetype=text
|rex field=title "\[(?<description>.*)\]"
|stats count by description

(it will count the number of "[SUCCESS]", "[FAILED]", ... extracted)
Then you click "save as" --> Alert --> Trigger alert when "Number of Results" is greater than 0

Hope it helps

Best regards,
Adrian

View solution in original post

diogofgm
SplunkTrust
SplunkTrust

You can use the | regex to search events regex patterns without the need to extract fields.

Example:
if you want to get an alert when there is a [FAILED] event you can search:

index=main sourcetype=text
| regex _raw="\[FAILED\]"

NOTE: You can swap _raw by other existing field if you want.

More information on the regex command:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Search/SPLandregularexpressions

Also check this .conf presentation:
https://conf.splunk.com/files/2017/slides/regex-in-your-spl.pdf

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

Adrian_ftx
Path Finder

Hi nanachu,

If you want to create an alert then you can do something like:

 index=main sourcetype=text
|rex field=title "\[(?<description>.*)\]"
|stats count by description

(it will count the number of "[SUCCESS]", "[FAILED]", ... extracted)
Then you click "save as" --> Alert --> Trigger alert when "Number of Results" is greater than 0

Hope it helps

Best regards,
Adrian

Sukisen1981
Champion

try this

| makeresults
| eval title="[SUCCESS],[FAILED],[SKIPPED]" |rex field=title "\[+(?<status>.*?)\]" max_match=0
| mvexpand status
| where status="whatever you want"

repalce whatever you want with success,failed,skipped etc...

Sukisen1981
Champion

hi @nanachu
Can you please check and confirm on your issue? Please accept the answer if it significantly helped resolve your issue. Do not forget to add/modify the answer if you did some modifications and then accept the answer.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...