Splunk Search

Multiple expressions in single search

New Member

I'm trying to combine multiple rex expressions in a single search, but I'm having issues with my syntax. More specifically I'm trying to create a table showing the state of Weblogic application deployments after a JVM restart. We have multiple application deployments so I'd like to gather the information showing status of each application after JVM starts up. A clip from my logs might look like this...

[Jan 19, 2018 6:44:17 PM GMT] [Info] [Deployer] [myhost.com] [my-wls-jvm-name01] [[ACTIVE] ExecuteThread: '15' for queue: 'weblogic.kernel.Default (self-tuning)'] [[WLS Kernel]] [1516387457459] [BEA-149060] [Module myapp.war of application myapp successfully transitioned from STATEADMIN to STATEACTIVE on server my-wls-jvm-name01.]

[Jan 19, 2018 6:44:17 PM GMT] [Info] [Deployer] [myhost.com] [my-wls-jvm-name01] [[ACTIVE] ExecuteThread: '15' for queue: 'weblogic.kernel.Default (self-tuning)] [[WLS Kernel]] [1516387457442] [BEA-149059] [Module myotherapp.ear of application MyOtherApp Application [Version=11.1.1.1.0] is transitioning from STATEADMIN to STATEACTIVE on server my-wls-jvm-name01.]

My search looks something likes this...
host=myhost source=/hosting/logs//.log CASE(Module) *.ear OR *.war | rex "Module (?[^/]+)oftransitioned from (?[^/]+)" | table myapp myappfromto

Tags (2)
0 Karma

Motivator

How about trying this below to have all the relevant things [out of which you can choose what do you want to pick]:

    host=myhost source=/hosting/logs//.log CASE(Module) .ear OR *.war
    | rex "\[Module\s*(?<myWar>[\S]+) of application (?<myApp>[\S]+) (?<action>.+) from (?<prevState>[\S]+) to (?<curState>[\S]+) on server (?<server>[^\]]+)"
| table myWar, myApp, action, prevState, curState, server

See extraction here

A better extraction which will ensure that spaces don't tumble the query can be seen here and using that your query shall look like as follows:

    host=myhost source=/hosting/logs//.log CASE(Module) .ear OR *.war
    | rex "\[Module\s*(?<myWar>[\S]+)\s*of\s*application\s*(?<myApp>[\S]+)\s*(?<action>.+)\s*from\s*(?<prevState>[\S]+)\s*to\s*(?<curState>[\S]+)\s*on\s*server\s*(?<server>[^\]]+)"
| table myWar, myApp, action, prevState, curState, server
0 Karma

SplunkTrust
SplunkTrust

Hi gokadroid,

actually the rex command isn't completed like this.

please do

| rex field=_raw "\[Module\s*(?<myWar>[\S]+)\s*of\s*application\s*(?<myApp>[\S]+)\s*(?<action>.+)\s*from\s*(?<prevState>[\S]+)\s*to\s*(?<curState>[\S]+)\s*on\s*server\s*(?<server>[^\]]+)"
0 Karma

Motivator

@pyrowood
Please read the documentation here below:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex#Optional
arguments

What you are asking me to do is "optional" and anyways field is always taken _raw as default.

SplunkTrust
SplunkTrust

oh, wow... didn't know that 🙂

0 Karma

Motivator

we always learn something new with Splunk!!

0 Karma