- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- REX not being consistent in defining "fields"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a set of router and switch syslog events that I am trying to define 'error' Fields for but I don't see the REX statement being consistent. When I run the following search against the listed two syslog events
Search
sourcetype=syslog_info earliest=-1m | rex "(?<error>\%.*-\b([0-4])\-.*):\s"
Syslog data
<DATE Field> %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host
<DATE Field> "%ACLLOG-4-ACLLOG_THRESHOLD: Source IP: 10.215.24.52, Destination IP: 167.68.250.45, Source Port: 137, Destination Port: 137, Source Interface: port-channel105, protocol"
I get the following results. Any thoughts to why one works and one doesn't? I am stumped.
1) error="%SNMP-3-AUTHFAIL"
2) error="%ACLLOG-4-ACLLOG_THRESHOLD: Source IP: 10.215.24.52, Destination IP: 167.68.250.45, Source Port: 137, Destination Port: 137, Source Interface: port-channel105, protocol"
Master Oogway
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The difference between your two sample events is that the second one has multiple : characters. The .* performs "greedy" matching, meaning it tries to include as much text as possible in the match.
Adding a question mark -- .*? -- will make it non-greedy:
| rex "(?<error>\%.*-\b([0-4])\-.*?):\s"
Or if you want a more permanent/complete solution, this covers most cases:
props.conf:
[cisco-eventcodes]
REGEX = (%(([\w\-]+)-(\d+)-([\w\_]+)):\s+(.*)$)
FORMAT = message_full::$1 event::$2 facility::$3 severity::$4 mnemonic::$5 message::$6
transforms.conf:
[syslog_info]
REPORT-ciscoevt = cisco-eventcodes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The difference between your two sample events is that the second one has multiple : characters. The .* performs "greedy" matching, meaning it tries to include as much text as possible in the match.
Adding a question mark -- .*? -- will make it non-greedy:
| rex "(?<error>\%.*-\b([0-4])\-.*?):\s"
Or if you want a more permanent/complete solution, this covers most cases:
props.conf:
[cisco-eventcodes]
REGEX = (%(([\w\-]+)-(\d+)-([\w\_]+)):\s+(.*)$)
FORMAT = message_full::$1 event::$2 facility::$3 severity::$4 mnemonic::$5 message::$6
transforms.conf:
[syslog_info]
REPORT-ciscoevt = cisco-eventcodes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A...ding, ding, ding! This did it. Thank you!
I will try the more permanent solution and see what I get.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
