Solved: Re: Regex Query Help: Need to Write a regex query ...

mintughosh · ‎06-13-2018

Below given is one section of an event. The event has multiple such sections. I want to write a regex search query so that I can fetch the 3 fields from the below given log
1) 'Tableau Server (Service) ' (PD) is (Status).

2018-05-25 02:21:30.270 -0500_EXACT_10.218.108.14:RTEEPK08_:pid=12466_0x4364712fuser=request=_ RTEEPK08:
Status: DEGRADED
'Tableau Server Data Engine' (7653) is running.
'Tableau Server Coordination Service 0' (7633) is running.
'Tableau Server Search and Browse 0' (2542) is running.
'Tableau Server Tabadmin Service 0' (25262) is running.
'Tableau Server Gateway' (252564) is running.
'Tableau Server Cluster Controller' is stopped.
'Tableau Server Repository' status is not available.
'Tableau Server File Store' status is not available.

RTEEPK09:
Status: STOPPED
RTEEPK10:
Status: STOPPED

I already wrote a regex query to extract it in the form of table for host and Status. But I am having problems in writing the regex query for 'Tableau Server (Service)' (PD) is (Status).

Extract - (Service), (PD) and (Status)

Thank you
Note: This is a sample modified log file

FrankVl · ‎06-14-2018

Following should work:

| rex max_match=0 "Tableau Server (?<Service>[^']+)'\s*\(?(?<PD>\d+)?\)?\s+(?:is|status\s+is)\s+(?<Status>[\w\s]+)\."

https://regex101.com/r/pwEJae/1

Only trouble with this: it gets the data into multi valued fields which means that you loose a reliable connection between the different parts of each line. So you might want to consider splitting this into individual events for each line, before extracting the individual fields.

View solution in original post

FrankVl · ‎06-14-2018

Following should work:

| rex max_match=0 "Tableau Server (?<Service>[^']+)'\s*\(?(?<PD>\d+)?\)?\s+(?:is|status\s+is)\s+(?<Status>[\w\s]+)\."

https://regex101.com/r/pwEJae/1

Only trouble with this: it gets the data into multi valued fields which means that you loose a reliable connection between the different parts of each line. So you might want to consider splitting this into individual events for each line, before extracting the individual fields.

mintughosh · ‎06-14-2018

It gives me the following error.
Error in 'rex' command: The regex 'max_matches=0' does not extract anything. It should specify at least one named group. Format: (?...).

Should I be adding something more to that query ?

493669 · ‎06-14-2018

try max_match=0 instead of max_matches=0

FrankVl · ‎06-14-2018

Good catch, updated that in my answer.

mintughosh · ‎06-14-2018

Tried but not getting the results as expected. I am not able to fetch the (Service), (PD) and (Status).

mintughosh · ‎06-14-2018

Ok. My issue is Resolved. I have added few more parameter and then followed by query Frank Suggested and then i added table to it

Regex Query Help: Need to Write a regex query for my log

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation