Splunk Search

How to extract a field and send an email alert?

macadminrohit
Contributor

Hi,

I have the below event for which I need to get an alert whenever the event occurs and get the version of the file .

[2017-03-13T16:16:07-04:00] INFO: Processing remote_file[/opt/chef/cache/openupf-abdirect-web-17.03.00.01-20170313.032310-34-config.tar] action create (AB_CD_Appserver::deploy line 21)

The highlighted part is the version of the file which I need to get in the email. I created a field transformation and get an alert mentioning the version.

Thanks
Rohit

0 Karma

woodcock
Esteemed Legend

Like this:

Your Base Search Here | rex "(?<file_version>\d+\.\d+\.\d+\.\d+[^\]]+)" | table _raw file_version
0 Karma

macadminrohit
Contributor

I Used the Regex builder provided by splunk and it gives the below regex expression:

(?=[^o]*(?:opt/chef/cache/openupf-abdirect-web-|o.*opt/chef/cache/openupf-hldirect-web-))^(?:[^\-\n]*\-){6}(?P\d+\.\d+\.\d+\.\d+\-\d+\.\d+\-\d+\-\w+\.\w+) 

My question is how do use the new field created by it??

0 Karma

woodcock
Esteemed Legend

Like this:

    Your Base Search Here | rex "(?=[^o]*(?:opt/chef/cache/openupf-abdirect-web-|o.*opt/chef/cache/openupf-hldirect-web-))^(?:[^\-\n]*\-){6}(?<file_version>\d+\.\d+\.\d+\.\d+\-\d+\.\d+\-\d+\-\w+\.\w+) | table _raw file_version
0 Karma

rafamss
Contributor

You could use a regex for extract the field in search time like this *\d{2}.\d{2}.\d{2}.\d{2}-\d{8}.\d{6}-\d{2}-\w*.\w*.* and then, create a Alert that send the e-mail.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...