my query fetches (host, incident) from subject line by using below regex command
regex field=subject max_match=0 “(<Incident>INC\d{12})” | regex field=subject “(?<host>[a-z]{5}\d{3}\d[a-z]{4}\d\d)“
my query matches host from 1st query (1st query displays host based on some eventcode) and those host search for host in subject line and displays incident in separate column. however, incident is not fetched for host which are in uppercase Letter in subject and incident column remains blank for particular host.
Hi @priya0709 , its very strange , the same works below, this is the run anywhere query
| makeresults
| eval subject="INC201564712349/SGH821VYX1 please perform hardware diagonostics on wsini606xasi01 for a bug"
| rex field=subject "(?<Incident>INC\d{12})"
| rex field=subject "(?<host>[a-zA-Z]{5}\d{3}[a-zA-Z]{4}\d{2})"
| fields - _time
Hi @priya0709 , can you try adding A-Z in host part of the existing regex as below
regex field=subject max_match=0 “(<Incident>INC\d{12})” | regex field=subject “(?<host>[a-zA-Z]{5}\d{3}\d[a-zA-Z]{4}\d\d)“
please upvote my response if it helps!
This doesnt work by updating regex with A-Z
Hi @priya0709 can you provide with a sample text of the log on which you are applying this regex?
please see this subject line if my first query fetches host wsini606xasi01 and when it matches with above subject based on regex query In which wsini606xasi01 is in uppercase it does not displays incident in another column. When 1st query and 2nd query both are in lower case host matches and displays incident.
hi @priya0709 , this should work
| rex field=text "(?<Incident>INC\d{12})"
| rex field=text "(?<host>[a-zA-Z]{5}\d{3}[a-zA-Z]{4}\d{2})"
Still not working 😟
Hi @priya0709 , its very strange , the same works below, this is the run anywhere query
| makeresults
| eval subject="INC201564712349/SGH821VYX1 please perform hardware diagonostics on wsini606xasi01 for a bug"
| rex field=subject "(?<Incident>INC\d{12})"
| rex field=subject "(?<host>[a-zA-Z]{5}\d{3}[a-zA-Z]{4}\d{2})"
| fields - _time
Thank you for your reply
will this query work only for the defined subject or for any subject line which has server in uppercase letter??
Hi @priya0709 , I have wrote that query based on the subject data you have provided, but given the host format is always liek below it will work.
5 letters+3 digits+4 letters+ 2 digits