Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write a regex that extracts a field behind a specific string?

zacksoft
Contributor
‎09-21-2018 06:42 AM

My application has multiple plugins and the Splunk event contains the number of plugins that have failed to load. Sometimes all the plugins are active and sometimes more than 10 plugins fail to load. Here is a sample event. Basically the word behind the string "IS UNACCOUNTED FOR" is my plugin name. and I need all the plugin names that are present behind the string "is accounted for". And as I said, there could any number of failed plugins in the event. The following example event contains two failed plugins. i.e 'Announcer for CONF' and 'HipChat for CONF'

 ___ FAILED PLUGIN REPORT _____________________

    1 plugin failed to load during CONF startup.

        'com.bsaassian.plugins.authentication.bsaassian-authentication-plugin' - 'SAML for bsaassian Data Center'  failed to load.
            Unexpected exception parsing XML document from URL [bundle://127.0:0/META-INF/spring/plugin-context.xml]; nested exception is javax.xml.parsers.FactoryConfigurationError: Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
                Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
                    Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
                        javax.xml.parsers.DocumentBuilderFactory: Provider com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl not found

            It was loaded from /apps/bsaassian/CONF.7.6.7/bsaassian-CONF/WEB-INF/bsaassian-bundled-plugins/bsaassian-authentication-plugin-2.0.8.jar
    4 plugins are unaccounted for.
    Unaccounted for plugins load as artifacts but fail to resolve into full plugins.

        'com.wittified.atl-announcer-CONF' - 'Announcer for CONF'  IS UNACCOUNTED FOR.

            It was loaded from /atlshare/bsaassian/application-data/CONF/plugins/installed-plugins/plugin.2625541172025988687.atl-announcer-CONF-2.3.10-7x.jar

        'com.bsaassian.labs.hipchat.hipchat-for-CONF-plugin' - 'HipChat for CONF'  IS UNACCOUNTED FOR.
********************************************************************************************************************************************************************************************************
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sudosplunk
Motivator
‎09-21-2018 07:10 AM

Hello,

Append this to your search, base_search | rex max_match=0 field=_raw "\'(?<plugin_name>[\w\s-]+?)\'\s+(?i)IS\sUNACCOUNTED\sFOR | table plugin_name

https://regex101.com/r/UUpOta/1

View solution in original post

Reply
Solved! Jump to solution

rajneeshdba
Explorer
‎12-14-2020 08:56 AM

2020-11-30T23:59:46.101621+00:00 fdb2.fdb-us-south-002 2020-11-30T23:59:45Z { "Severity": "10", "Time": "1606780785.516014", "Type": "SomewhatSlowRunLoopTop", "ID": "0000000000000000", "Elapsed": "0.0734675", "Machine": "10.185.175.43:4501", "LogGroup": "default" }

 

I want to how Can i extract "severity": "10" in the search from the logs ?

0 Karma
Reply
Solved! Jump to solution
Solution

sudosplunk
Motivator
‎09-21-2018 07:10 AM

Hello,

Append this to your search, base_search | rex max_match=0 field=_raw "\'(?<plugin_name>[\w\s-]+?)\'\s+(?i)IS\sUNACCOUNTED\sFOR | table plugin_name

https://regex101.com/r/UUpOta/1

Reply
Solved! Jump to solution

zacksoft
Contributor
‎09-21-2018 07:25 AM

It is missing one plugin. In the following example I have four such entries. But it shows only 3 entries. It is missing "bsaassian CONF - Plugins - Feedback Plugin"

___ FAILED PLUGIN REPORT _____________________

    1 plugin failed to load during CONF startup.

        'com.bsaassian.plugins.authentication.bsaassian-authentication-plugin' - 'SAML for bsaassian Data Center'  failed to load.
            Unexpected exception parsing XML document from URL [bundle://139.0:0/META-INF/spring/plugin-context.xml]; nested exception is javax.xml.parsers.FactoryConfigurationError: Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
                Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
                    Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
                        javax.xml.parsers.DocumentBuilderFactory: Provider com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl not found

            It was loaded from /apps/bsaassian/CONF.7.6.7/bsaassian-CONF/WEB-INF/bsaassian-bundled-plugins/bsaassian-authentication-plugin-2.0.8.jar
    4 plugins are unaccounted for.
    Unaccounted for plugins load as artifacts but fail to resolve into full plugins.

        'com.wittified.atl-announcer-CONF' - 'Announcer for CONF'  is unaccounted for.

            It was loaded from /btlpaire/bsaassian/application-data/CONF/plugins/installed-plugins/plugin.2625541172025988687.atl-announcer-CONF-2.3.10-7x.jar

        'com.bsaassian.labs.hipchat.hipchat-for-CONF-plugin' - 'HipChat for CONF'  is unaccounted for.

            It was loaded from /btlpaire/bsaassian/application-data/CONF/plugins/installed-plugins/hipchat-for-CONF-plugin-7.8.12.jar

        'com.bsaassian.feedback.CONF-feedback-plugin' - 'bsaassian CONF - Plugins - Feedback Plugin'  is unaccounted for.

            It was loaded from /apps/bsaassian/CONF.7.6.7/bsaassian-CONF/WEB-INF/bsaassian-bundled-plugins/CONF-feedback-plugin-7.6.7.jar

        'com.bsaassian.CONF.ext.calendar' - 'CONF Calendar Plugin'  is unaccounted for.

            It was loaded from /btlpaire/bsaassian/application-data/CONF/plugins/installed-plugins/plugin.1353523214340827166.CONF-calendar-plugin-4.0.3.jar

    ********************************************************************************************************************************************************************************************************
0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎09-21-2018 07:43 AM

That is because there is - in plugin name and regex is not asked to match it. I updated regex in my answer above. Try it out.

On a side note: I added (?i) - case insensitive flag for is unaccounted for string because in the example above you had lowercase and in the question above, you had uppercase. Adjust regex as required.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...