{{Tag not found: #Friday, November 22, 2019 1:47:00 PM: #XXXXSQL2001: #Medium: #Disk E: has an average queue length of 7.59.: #Disks - Queue Length}}

ansif · ‎12-26-2019

{{Tag not found: #Friday, November 22, 2019 1:47:00 PM: #XXXXSQL2001: #Medium: #Disk E: has an average queue length of 7.59.: #Disks - Queue Length}}

TimeStamp Field :Friday, November 22, 2019 1:47:00 PM
Host : XXXXSQL2001
Priority :Medium
Message :Disk E: has an average queue length of 7.59.
Alarm_Name:Disks - Queue Length

{{Tag not found: #Friday, November 22, 2019 1:50:38 PM: #XXXX0SQ47: #High: #The file 'R:\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\TempDBData\tempdb_mssql_6.ndf' on database 'tempdb' has an I/O stall time of 57.82 ms/IO averaged over the last 5 samples.: #I/O Stall Time}}

TimeStamp Field :Friday, November 22, 2019 1:50:38 PM
Host : XXXX0SQ47
Priority :High
Message :The file 'R:\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\TempDBData\tempdb_mssql_6.ndf' on database 'tempdb' has an I/O stall time of 57.82 ms/IO averaged over the last 5 samples.
Alarm_Name:I/O Stall Time

gcusello · ‎12-27-2019

Hi @ansif,
try something like this:

^[^\#]*\#(?<TimeStamp>.*):\s+\#(?<Host>[^:]*):\s+\#(?<Priority>[^:]*):\s+\#(?<Message>.*):\s+\#(?<Alarm_Name>[^\}]*)

that you can test at https://regex101.com/r/ssLQnZ/1 .

Ciao and Happy New Year.
Giuseppe

View solution in original post

vnravikumar · ‎12-27-2019

Hi

Give a try

| makeresults 
| eval _raw="{{Tag not found: #Friday, November 22, 2019 1:50:38 PM: #XXXX0SQ47: #High: #The file 'R:\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\TempDBData\tempdb_mssql_6.ndf' on database 'tempdb' has an I/O stall time of 57.82 ms/IO averaged over the last 5 samples.: #I/O Stall Time}}
" 
| eval temp=split(_raw," #") 
| rex field=temp mode=sed "s/(\:$|}})//g" 
| eval "TimeStamp Field" =mvindex(temp,1), Host=mvindex(temp,2),Priority = mvindex(temp,3),Message =mvindex(temp,4),Alarm_Name=mvindex(temp,5) 
| table "TimeStamp Field" Host Priority Message Alarm_Name

gcusello · ‎12-27-2019

Hi @ansif,
try something like this:

^[^\#]*\#(?<TimeStamp>.*):\s+\#(?<Host>[^:]*):\s+\#(?<Priority>[^:]*):\s+\#(?<Message>.*):\s+\#(?<Alarm_Name>[^\}]*)

that you can test at https://regex101.com/r/ssLQnZ/1 .

Ciao and Happy New Year.
Giuseppe

Need help in parsing events

{{Tag not found: #Friday, November 22, 2019 1:47:00 PM: #XXXXSQL2001: #Medium: #Disk E: has an average queue length of 7.59.: #Disks - Queue Length}}

{{Tag not found: #Friday, November 22, 2019 1:50:38 PM: #XXXX0SQ47: #High: #The file 'R:\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\TempDBData\tempdb_mssql_6.ndf' on database 'tempdb' has an I/O stall time of 57.82 ms/IO averaged over the last 5 samples.: #I/O Stall Time}}

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?