Splunk Search

How to extract a field and send an email alert?

Contributor

Hi,

I have the below event for which I need to get an alert whenever the event occurs and get the version of the file .

[2017-03-13T16:16:07-04:00] INFO: Processing remote_file[/opt/chef/cache/openupf-abdirect-web-17.03.00.01-20170313.032310-34-config.tar] action create (AB_CD_Appserver::deploy line 21)

The highlighted part is the version of the file which I need to get in the email. I created a field transformation and get an alert mentioning the version.

Thanks
Rohit

0 Karma

Esteemed Legend

Like this:

Your Base Search Here | rex "(?<file_version>\d+\.\d+\.\d+\.\d+[^\]]+)" | table _raw file_version
0 Karma

Contributor

I Used the Regex builder provided by splunk and it gives the below regex expression:

(?=[^o]*(?:opt/chef/cache/openupf-abdirect-web-|o.*opt/chef/cache/openupf-hldirect-web-))^(?:[^\-\n]*\-){6}(?P\d+\.\d+\.\d+\.\d+\-\d+\.\d+\-\d+\-\w+\.\w+) 

My question is how do use the new field created by it??

0 Karma

Esteemed Legend

Like this:

    Your Base Search Here | rex "(?=[^o]*(?:opt/chef/cache/openupf-abdirect-web-|o.*opt/chef/cache/openupf-hldirect-web-))^(?:[^\-\n]*\-){6}(?<file_version>\d+\.\d+\.\d+\.\d+\-\d+\.\d+\-\d+\-\w+\.\w+) | table _raw file_version
0 Karma

Contributor

You could use a regex for extract the field in search time like this *\d{2}.\d{2}.\d{2}.\d{2}-\d{8}.\d{6}-\d{2}-\w*.\w*.* and then, create a Alert that send the e-mail.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!