Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pass splunk command from lookup table for execution

rahul15601
Engager
‎07-22-2020 01:15 PM

Hi,

I am very new in Splunk and need some help to understand Splunk command execution structure.

Case: We are having input data coming from DB and ingesting into splunk. Now the data has some patterns (including dynamic values and static). We have one lookup table there we are maintaining part of the strings(error message) which needs to be checked with ingested data.

If pattern found then we need to take the string of lookup table and get the count of similar type of error occurred in a day.

Approch: Using lookup table and wildcard (matchtype) in transform.conf file I am able to match static errors of ingested data, but dynamic errors are not able to match.

for eg.

"30032_SomeID_23448:Name:test--curt:fields"

if such type of pattern is available in ingested data then in lookup table I have added partial string(*_SomeID_*--curt:fields*) so that it does get matched using wildcart(matchtype) of transform.conf file.

But I need to extract "30032_SomeID_23448:Name:test--curt:fields" string from ingested data. 
Hence I am using regex. and in the lookup table maintaining regex sting so that if match found I can get the corresponding regex sting and can pass in to splunk search for execution.

Please correct me if my logic is correct to do this task or I shall use better way in Splunk.

regex storing in lookup table.

 ": (?<ename>.+?) Field"

getting this in search thru lookup command and trying to execute thru

getting the string into variable from lookup output.

| lookup application_lookup email_body AS email_body OUTPUT email_body AS email_body_lookup application_name alert_type rge_col
| rex field=email_body + rge_col

but getting below error.

Error in 'rex' command: Encountered the following error while compiling the regex '+': Regex: quantifier does not follow a repeatable item.

If someone can guide me that would be great help of me.

Thanks in advance!

@MuS  @wrangler2x 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-22-2020 01:34 PM

Try merging the two fields separately.

| lookup application_lookup email_body AS email_body OUTPUT email_body AS email_body_lookup application_name alert_type rge_col
| eval rex_field=email_body + rge_col
| rex field=rex_field
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rahul15601
Engager
‎07-23-2020 02:02 AM

Hi,

It did not work and getting below error.

Error in 'SearchOperator:rex': Usage: regex [field=<field>] <regex>.

Any other way?
Please help!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2020 05:29 AM
You need to complete the rex command with the regular expression that you wish to match.
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top