Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiple expressions in single search

stlimanika
New Member
‎01-22-2018 09:47 AM

I'm trying to combine multiple rex expressions in a single search, but I'm having issues with my syntax. More specifically I'm trying to create a table showing the state of Weblogic application deployments after a JVM restart. We have multiple application deployments so I'd like to gather the information showing status of each application after JVM starts up. A clip from my logs might look like this...

[Jan 19, 2018 6:44:17 PM GMT] [Info] [Deployer] [myhost.com] [my-wls-jvm-name01] [[ACTIVE] ExecuteThread: '15' for queue: 'weblogic.kernel.Default (self-tuning)'] [[WLS Kernel]] [1516387457459] [BEA-149060] [Module myapp.war of application myapp successfully transitioned from STATE_ADMIN to STATE_ACTIVE on server my-wls-jvm-name01.]

[Jan 19, 2018 6:44:17 PM GMT] [Info] [Deployer] [myhost.com] [my-wls-jvm-name01] [[ACTIVE] ExecuteThread: '15' for queue: 'weblogic.kernel.Default (self-tuning)] [[WLS Kernel]] [1516387457442] [BEA-149059] [Module myotherapp.ear of application MyOtherApp Application [Version=11.1.1.1.0] is transitioning from STATE_ADMIN to STATE_ACTIVE on server my-wls-jvm-name01.]

My search looks something likes this...
host=myhost source=/hosting/logs//*.log CASE(Module) *.ear OR *.war | rex "Module (?[^/]+)of*transitioned from (?[^/]+)" | table myapp myappfromto

Tags (2)
0 Karma
Reply

gokadroid
Motivator
‎01-22-2018 11:05 AM

How about trying this below to have all the relevant things [out of which you can choose what do you want to pick]:

    host=myhost source=/hosting/logs//.log CASE(Module) .ear OR *.war
    | rex "\[Module\s*(?<myWar>[\S]+) of application (?<myApp>[\S]+) (?<action>.+) from (?<prevState>[\S]+) to (?<curState>[\S]+) on server (?<server>[^\]]+)"
| table myWar, myApp, action, prevState, curState, server

See extraction here

A better extraction which will ensure that spaces don't tumble the query can be seen here and using that your query shall look like as follows:

    host=myhost source=/hosting/logs//.log CASE(Module) .ear OR *.war
    | rex "\[Module\s*(?<myWar>[\S]+)\s*of\s*application\s*(?<myApp>[\S]+)\s*(?<action>.+)\s*from\s*(?<prevState>[\S]+)\s*to\s*(?<curState>[\S]+)\s*on\s*server\s*(?<server>[^\]]+)"
| table myWar, myApp, action, prevState, curState, server
0 Karma
Reply

horsefez
Motivator
‎01-22-2018 11:18 AM

Hi gokadroid,

actually the rex command isn't completed like this.

please do 

| rex field=_raw "\[Module\s*(?<myWar>[\S]+)\s*of\s*application\s*(?<myApp>[\S]+)\s*(?<action>.+)\s*from\s*(?<prevState>[\S]+)\s*to\s*(?<curState>[\S]+)\s*on\s*server\s*(?<server>[^\]]+)"
0 Karma
Reply

gokadroid
Motivator
‎01-22-2018 11:32 AM

@horsefez
Please read the documentation here below:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex#Optional_arguments

What you are asking me to do is "optional" and anyways field is always taken _raw as default.

Reply

horsefez
Motivator
‎01-22-2018 11:56 AM

oh, wow... didn't know that 🙂

0 Karma
Reply

gokadroid
Motivator
‎01-22-2018 12:04 PM

we always learn something new with Splunk!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...