Splunk Search

How do you get the following search to return a piece of the process status rather than the whole output of the command line?

bsaujla131984
Path Finder

I have set up a query to check the status of linux/unix processes for a number of processes. However, when it displays the results, it shows the whole output of the command line instead of showing the status of process.

For example, the search is to check the output of process ABCDEF. But when I run the query, it shows as below:-

://java/path/abc: ABCDEF:/export/path/...

Is there a way I can extract just the process name instead of the whole command line as output?

Thanks,

Tags (1)
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @bsaujla131984

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma

bsaujla131984
Path Finder

No, It did not work...

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

For this kind of query, your fastest iteration on trying extraction language might be to get onto the Splunk Slack channel, the #regex subchannel, and ask for help there. It looks like sudosplunk is getting you close, but some kind of problem is persisting. They can help you down there pretty fast.

0 Karma

bsaujla131984
Path Finder

Can anyone assist with this please?

0 Karma

sudosplunk
Motivator

Did you try the regex exactly as I provided. Use this search index=Unix_process host="xxxxxx" ABCDEF COMMAND=java | dedup process | rex field=_raw "\:\s(?<just_process_name>\w+)\:" | table just_process_name

0 Karma

bsaujla131984
Path Finder

Hi SudoSplunk, It is not working, error message :-

Error in 'rex' command: Encountered the following error while compiling the regex ':\s(?PROCESS_NAME\w+):': Regex: unrecognized character after (? or (?-

0 Karma

sudosplunk
Motivator

Hi,

Regex: unrecognized character after (? or (?-

Based on above error, I think you specified a name for capture group but not in the format what regex recognizes. Put PROCESS_NAME inside angular brackets. `| rex field=_raw ":\s(?\w+):" | table PROCESS_NAME

Link for working regex.

0 Karma

bsaujla131984
Path Finder

I had tried in angular brackets, however it was giving error as below:-

Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma

sudosplunk
Motivator

Hi, give this a try base_search | rex field=_raw "\:\s(?<just_process_name>\w+)\:" | table just_process_name

The regex will only work with the format specified in question. If you have multiple formats of how process name appear in logs, then provide samples of all possible formats and I will help with the regex that matches all.

0 Karma

bsaujla131984
Path Finder

Thanks for your input, I tried following searches, however it is not working as expected:-

Search1:- index=Unix_process host="xxxxxx" ABCDEF COMMAND=java | dedup process | rex field=_raw ":\s(? \w+):" | table ABCDEF

Error:- Error in 'rex' command: Encountered the following error while compiling the regex ':\s(? \w+):': Regex: syntax error in subpattern name (missing terminator)

Search 2:- index=Unix_process host="xxxxxx" ABCDEF COMMAND=java | dedup process | rex field=_raw ":\s(?ABCDEF \w+):" | table ABCDEF

Error:- Error in 'rex' command: Encountered the following error while compiling the regex ':\s(?ABCDEF \w+):': Regex: unrecognized character after (? or (?-

0 Karma

sudosplunk
Motivator

Hi,

Looks like there is no name capturing group in your rex statement. A name capturing group (including <> angular brackets) should be provided in order for rex to work.

Regex tested here.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...