Solved: Regex host upper case

priya0709 · ‎08-23-2020

my query fetches (host, incident) from subject line by using below regex command

regex field=subject max_match=0 “(<Incident>INC\d{12})” | regex field=subject “(?<host>[a-z]{5}\d{3}\d[a-z]{4}\d\d)“

my query matches host from 1st query (1st query displays host based on some eventcode) and those host search for host in subject line and displays incident in separate column. however, incident is not fetched for host which are in uppercase Letter in subject and incident column remains blank for particular host.

Nisha18789 · ‎08-24-2020

Hi @priya0709 , its very strange , the same works below, this is the run anywhere query

| makeresults
| eval subject="INC201564712349/SGH821VYX1 please perform hardware diagonostics on wsini606xasi01 for a bug"
| rex field=subject "(?<Incident>INC\d{12})"
| rex field=subject "(?<host>[a-zA-Z]{5}\d{3}[a-zA-Z]{4}\d{2})"
| fields - _time

View solution in original post

Nisha18789 · ‎08-23-2020

Hi @priya0709 , can you try adding A-Z in host part of the existing regex as below

regex field=subject max_match=0 “(<Incident>INC\d{12})” | regex field=subject “(?<host>[a-zA-Z]{5}\d{3}\d[a-zA-Z]{4}\d\d)“

please upvote my response if it helps!

priya0709 · ‎08-23-2020

This doesnt work by updating regex with A-Z

Nisha18789 · ‎08-23-2020

Hi @priya0709 can you provide with a sample text of the log on which you are applying this regex?

priya0709 · ‎08-23-2020

please see this subject line if my first query fetches host wsini606xasi01 and when it matches with above subject based on regex query In which wsini606xasi01 is in uppercase it does not displays incident in another column. When 1st query and 2nd query both are in lower case host matches and displays incident.

Nisha18789 · ‎08-24-2020

hi @priya0709 , this should work

| rex field=text "(?<Incident>INC\d{12})"
| rex field=text "(?<host>[a-zA-Z]{5}\d{3}[a-zA-Z]{4}\d{2})"

priya0709 · ‎08-24-2020

Still not working 😟

Nisha18789 · ‎08-24-2020

Hi @priya0709 , its very strange , the same works below, this is the run anywhere query

| makeresults
| eval subject="INC201564712349/SGH821VYX1 please perform hardware diagonostics on wsini606xasi01 for a bug"
| rex field=subject "(?<Incident>INC\d{12})"
| rex field=subject "(?<host>[a-zA-Z]{5}\d{3}[a-zA-Z]{4}\d{2})"
| fields - _time

priya0709 · ‎08-24-2020

Thank you for your reply

will this query work only for the defined subject or for any subject line which has server in uppercase letter??

Nisha18789 · ‎08-24-2020

Hi @priya0709 , I have wrote that query based on the subject data you have provided, but given the host format is always liek below it will work.

5 letters+3 digits+4 letters+ 2 digits

Regex host upper case

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life