Splunk Search

Regex host upper case

priya0709
Path Finder

my query fetches (host, incident) from subject line by using below regex command

regex field=subject max_match=0 “(<Incident>INC\d{12})” | regex field=subject “(?<host>[a-z]{5}\d{3}\d[a-z]{4}\d\d)“

my query matches host from 1st query (1st query displays host based on some eventcode) and those host search for host in subject line and displays incident in separate column.  however,  incident is not fetched for host which are in uppercase Letter in subject and incident column remains blank for particular host.  

 

0 Karma
1 Solution

Nisha18789
Builder

Hi @priya0709 , its very strange , the same works below, this is the run anywhere query

 

| makeresults
| eval subject="INC201564712349/SGH821VYX1 please perform hardware diagonostics on wsini606xasi01 for a bug"
| rex field=subject "(?<Incident>INC\d{12})"
| rex field=subject "(?<host>[a-zA-Z]{5}\d{3}[a-zA-Z]{4}\d{2})"
| fields - _time

View solution in original post

0 Karma

Nisha18789
Builder

Hi @priya0709 , can you try adding A-Z in host part of the existing regex as below

regex field=subject max_match=0 “(<Incident>INC\d{12})” | regex field=subject “(?<host>[a-zA-Z]{5}\d{3}\d[a-zA-Z]{4}\d\d)“

 

 

please upvote my response if it helps!

0 Karma

priya0709
Path Finder

This doesnt work by updating regex with A-Z

0 Karma

Nisha18789
Builder

Hi @priya0709 can you provide with a sample text of the log on which you are applying this regex?

 

0 Karma

priya0709
Path Finder

953EA21C-375E-473A-A80A-CBA55F4A49A9.jpeg

 please see this subject line if my first query fetches host wsini606xasi01 and when it matches with above subject based on regex query In which wsini606xasi01 is in  uppercase it does not displays incident in another column. When 1st query and 2nd query both are in lower case host matches and displays incident.

0 Karma

Nisha18789
Builder

hi @priya0709 , this should work 

| rex field=text "(?<Incident>INC\d{12})"
| rex field=text "(?<host>[a-zA-Z]{5}\d{3}[a-zA-Z]{4}\d{2})"

 

Tags (1)
0 Karma

priya0709
Path Finder

Still not working 😟

0 Karma

Nisha18789
Builder

Hi @priya0709 , its very strange , the same works below, this is the run anywhere query

 

| makeresults
| eval subject="INC201564712349/SGH821VYX1 please perform hardware diagonostics on wsini606xasi01 for a bug"
| rex field=subject "(?<Incident>INC\d{12})"
| rex field=subject "(?<host>[a-zA-Z]{5}\d{3}[a-zA-Z]{4}\d{2})"
| fields - _time

0 Karma

priya0709
Path Finder

Thank you for your reply

will this query work only for the defined subject or for any subject line which has server in uppercase letter??

 

0 Karma

Nisha18789
Builder

Hi @priya0709 , I have wrote that query based on the subject data you have provided, but given the host format is always liek below it will work.

5 letters+3 digits+4 letters+ 2 digits

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...