- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Help with regular expression
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, all
I would like to create a mechanism that generates an alert when a regular expression extracted matches.
However, I cannot come up with a search statement that says when the extracted regular expression matches a certain character.
Here is my regular expression.
index=main sourcetype=text
|rex field = title(?<description>(\[).*(\]))
Field of title has values [SUCCESS],[FAILED],[SKIPPED]etc...
I thought that this search statement would return results that matched SUCCESS.
index=main sourcetype=text
|rex field = title(?<description>(\[).*(\]))
description = "SUCCESS"
But, it does not work.
Could you please help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi nanachu,
If you want to create an alert then you can do something like:
index=main sourcetype=text
|rex field=title "\[(?<description>.*)\]"
|stats count by description
(it will count the number of "[SUCCESS]", "[FAILED]", ... extracted)
Then you click "save as" --> Alert --> Trigger alert when "Number of Results" is greater than 0
Hope it helps
Best regards,
Adrian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the | regex to search events regex patterns without the need to extract fields.
Example:
if you want to get an alert when there is a [FAILED] event you can search:
index=main sourcetype=text
| regex _raw="\[FAILED\]"
NOTE: You can swap _raw by other existing field if you want.
More information on the regex command:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Search/SPLandregularexpressions
Also check this .conf presentation:
https://conf.splunk.com/files/2017/slides/regex-in-your-spl.pdf
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi nanachu,
If you want to create an alert then you can do something like:
index=main sourcetype=text
|rex field=title "\[(?<description>.*)\]"
|stats count by description
(it will count the number of "[SUCCESS]", "[FAILED]", ... extracted)
Then you click "save as" --> Alert --> Trigger alert when "Number of Results" is greater than 0
Hope it helps
Best regards,
Adrian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this
| makeresults
| eval title="[SUCCESS],[FAILED],[SKIPPED]" |rex field=title "\[+(?<status>.*?)\]" max_match=0
| mvexpand status
| where status="whatever you want"
repalce whatever you want with success,failed,skipped etc...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @nanachu
Can you please check and confirm on your issue? Please accept the answer if it significantly helped resolve your issue. Do not forget to add/modify the answer if you did some modifications and then accept the answer.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
