Splunk Search

Need help creating alerts using regular expressions

rmccaffery
New Member

I am new to Splunk logging and I have a host name and source that I would like to create an alert for. I want to create an alert for when there are 400's, 500's and instances of "error" being returned. I know how to write a regex but not how to pass it with Splunk's syntax. I was trying something like this:

host="hostname" source="source_name.log" error OR regex "/ 5\d\d /" OR regex "/ 4\d\d /"

I am familiar with how to create the alerts from a saved search but this syntax is not returning anything and the Splunk documentation for regular expressions is very vague. What is the cleanest and most efficient way to go about this?

Edit: Updated post to correct regex so it displays properly with the comment markdown. Also, I know the dataset I'm searching is returning 400's, 500's, and errors. If I try the same search and pass it 400 OR 403 OR 404 et cetera it will return results but I get no results when trying with the regex syntax.

Tags (3)
0 Karma

Ayn
Legend

In what sense is the documentation vague? Anything you write before the first pipe in the search field is added as arguments to the search command (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search ). The search command has no support for matching using regular expressions.

The regex command (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex ) does, however. But, regex is used as a separate filtering command, so you can't mix filtering expressions in the search command and then OR them together with what you filter on in the regex command.

My suggestion is, since you're looking for specific information in specific places in your logs, setup field extractions and then do wildcard matching on the specific fields. For instance, you could extract HTTP response codes to a field, let's call it response_code, and then do

host="hostname" source="source_name.log" (error OR response_code="4*" OR response_code="5*")
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...