Splunk Search

How to extract the short description from incoming event?

Splunk4
Explorer

Hi Everyone,

I have a field called as TriggeredMessage coming in an event in Splunk and I want to extract the short description field from it. Below is the sample triggeredmessage and it will be varying :

Alert::Serious::Server::Memory Utilization is 92 %, which is above threshold 90% & less than 95%::memory.

 

And I want to extract a short description as below :

Server::Memory Utilization is 92 %, which is above threshold 90% & less than 95%

I am trying the regex but not working for me. Please help me on this.

 

Thanks.

Labels (3)
Tags (2)
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk4,

please try this:

| rex field=TriggeredMessage  "^([^:]+..){2}(?<short_message>([^:]+..){2})"

that you can test at https://regex101.com/r/bqgbhr/1

Ciao.

Giuseppe

View solution in original post

0 Karma

neerajs_81
Builder

Giuseppe's answer is more accurate. Thank you 

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk4,

please try this:

| rex field=TriggeredMessage  "^([^:]+..){2}(?<short_message>([^:]+..){2})"

that you can test at https://regex101.com/r/bqgbhr/1

Ciao.

Giuseppe

0 Karma

Splunk4
Explorer

Thanks,,It's working..i have just modified to below in order to remove the :: coming at the end

| rex field=TriggeredMessage  "^([^:]+..){2}(?<short_message>([^:]+..){2})::"

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk4,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma

Splunk4
Explorer

Hi @gcusello ,

In the aboce message, some messages can also come  up with spaces in between like below :

 

Alert :: Serious :: Server :: Memory Utilization is 92 %, which is above threshold 90% & less than 95% :: memory

 

So can this regex modified in order to capture the messages with spaces as well?

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk4,

the above regex runs also with spaces, as you can test at the above link, infact the spaces are already considered in the group [^:]+

but anyway, you can test this regex:

| rex "^([^:]+::\s*){2}(?<short_message>([^:]+::){2})"

Ciao.

Giuseppe

0 Karma

Splunk4
Explorer

Hi @gcusello ,

I tried the regex for one of below event but seems its not working.

Alert :: Critical :: NXUSWSDD01 :: DATA-DOMAIN-MIB:spaceOver90Percent : sysUpTime = 33 days 22 hours 7 minutes 10.56 seconds, systemSerialNumber = APM00202524576, fileSystemSpaceUsed.2 = 26637.6, alertInfoDescription.48 = Space usage in Data Collection has exceeded 90% threshold. EVT-OBJ::FilesysType=2 EVT-INFO::SpaceUsage(%)=90 :: Storage Traps

 

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk4,

ok, please try this:

| rex field=TriggeredMessage "^([^:]+::\s+){2}(?<short_message>.*)::"

that you can test at https://regex101.com/r/bqgbhr/2

Ciao.

Giuseppe

0 Karma

Splunk4
Explorer

It is bringing only the server name(NXUSWSDD01) present at the third position in events with spaces and in events without spaces it is not bringing anything.

 

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk4,

are you sure to have exactly copied my regex?

because it's running in my pc:

gcusello_0-1655969938246.png

Ciao.

Giuseppe

0 Karma

Splunk4
Explorer

Hi @gcusello ,

Below is the one which is showing blank for events without spaces :

 

Splunk4_0-1655970383727.png

 

Below is the one which is with spaces.It looks like some events are with special characters

Splunk4_1-1655970589530.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk4 ,

ok, please try this:

| rex field=TriggeredMessage "^([^:]+::\s*){2}(?<short_message>.*)::"

that you  can test at https://regex101.com/r/bqgbhr/3

Ciao.

Giuseppe

0 Karma

Splunk4
Explorer

It's working fine for the events without spaces now and for events with spaces,there are some events(not all) which i highlighted earlier,not working.Below is the one

 

Alert :: Critical :: NXUSWSSW01 :: SW-MIB:swDeviceStatusTrap : swFCPortSpecifier.43 = 42, swDeviceStatus.43 = login(1), swEndDevicePortID.43 = AAEqKQ==, swNsNodeName.43 = ÀPv
lð, swNsPortName.43 = ÀPv
lð, sysUpTime = 11 days 19 hours 0 minutes 0.04 second, experimental.1057.1.0 = 10.80.248.71, snmpTrapEnterprise = SW-MIB:sw :: Storage Traps

 

Not sure what could be the issue.

0 Karma

neerajs_81
Builder

 Use this: 

| rex field=triggeredmessage "Alert::Serious::(?<Short_Description>\w.+)::"

  

neerajs_81_0-1655709790435.png

Please Mark as Answer or Upvote if this is correct.

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...