Splunk Search

How to extract a field and send an email alert?

Contributor

Hi,

I have the below event for which I need to get an alert whenever the event occurs and get the version of the file .

[2017-03-13T16:16:07-04:00] INFO: Processing remotefile[/opt/chef/cache/openupf-abdirect-web-17.03.00.01-20170313.032310-34-config.tar] action create (ABCD_Appserver::deploy line 21)

The highlighted part is the version of the file which I need to get in the email. I created a field transformation and get an alert mentioning the version.

Thanks
Rohit

0 Karma

Esteemed Legend

Like this:

Your Base Search Here | rex "(?<file_version>\d+\.\d+\.\d+\.\d+[^\]]+)" | table _raw file_version
0 Karma

Contributor

I Used the Regex builder provided by splunk and it gives the below regex expression:

(?=[^o]*(?:opt/chef/cache/openupf-abdirect-web-|o.*opt/chef/cache/openupf-hldirect-web-))^(?:[^\-\n]*\-){6}(?P\d+\.\d+\.\d+\.\d+\-\d+\.\d+\-\d+\-\w+\.\w+) 

My question is how do use the new field created by it??

0 Karma

Esteemed Legend

Like this:

    Your Base Search Here | rex "(?=[^o]*(?:opt/chef/cache/openupf-abdirect-web-|o.*opt/chef/cache/openupf-hldirect-web-))^(?:[^\-\n]*\-){6}(?<file_version>\d+\.\d+\.\d+\.\d+\-\d+\.\d+\-\d+\-\w+\.\w+) | table _raw file_version
0 Karma

Contributor

You could use a regex for extract the field in search time like this *\d{2}.\d{2}.\d{2}.\d{2}-\d{8}.\d{6}-\d{2}-\w*.\w*.* and then, create a Alert that send the e-mail.

0 Karma