Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I construct a regular expression with wildcard matching?

dbcase
Motivator
‎09-15-2016 08:24 AM

Hi,

I have data that looks like this

####<Sep 15, 2016 9:35:27 AM CDT> <Debug> <ucontrol> <betamax-cpe1> <managedServer1> <client-8> <<anonymous>> <> <> <1473950127749> <BEA-000000> <org.jivesoftware.util.Log  - SENT: <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>> 

####<Sep 15, 2016 10:18:53 AM CDT> <Warning> <ucontrol> <betamax-cpe1> <managedServer1> <smsQueueListenerContainer-1> <<anonymous>> <BEA1-35C7B98CDE9F> <> <1473952733478> <BEA-000000> <fn.service.impl.NumerexSmsSender  - UCE-22233 - Failed to send Numerex sms message to 5555555555> 

####<Sep 15, 2016 10:11:46 AM CDT> <Warning> <ucontrol> <betamax-portal1> <managedServer3> <[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1473952306182> <BEA-000000> <fn.webapp.listener.AuthenticationListener  - Authentication Auditing Failed: AuthenticationFailureBadCredentialsEvent>

What I need to do is search on a failure but the failure condition is presented in several ways (i.e. failed: OR failed; OR failed, OR failed. OR <failure

What I need to do is match on failed* OR <failure and then capture to the end of the line.

Still rather new to regex so I'm unsure how to do wildcard matching

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-15-2016 09:14 AM

Try this

... | rex "\b(?<failmsg>[Ff]ail.*)"

View solution in original post

Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎09-15-2016 10:42 AM

Hi @dbcase - Just so you know, I edited your original question to include your revised/correct last sentence instead of having it as a floating comment 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-15-2016 09:14 AM

Try this

... | rex "\b(?<failmsg>[Ff]ail.*)"
Reply
Solved! Jump to solution

dbcase
Motivator
‎09-15-2016 09:28 AM

I have no idea how you do regex so eloquently.... Maybe one day I can do the same.... 🙂

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎09-15-2016 08:57 AM 
... | rex "<?[fF]ail[eu][dr]?e?[:;,. ](?<failure_code>.*)"
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-15-2016 08:47 AM

Something like this, perhaps?

... | rex "fail\w*\s*(?<failureMsg>.*)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-15-2016 08:40 AM

Please check this - 

sourcetype=failure | rex field=_raw "<?[fF]ail[eu][dr]?e?[:;,. ](?<failedCode>.*)" | table failedCode _time _raw
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...