Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regular expression in log message

nanachu
Path Finder
‎10-03-2019 10:08 PM

I'm struggling now.
Could you please help me?

There are two hosts. they have same log data.

the host name is different but the same data is indexed.
host 1 is the master.
If host 1 fails, 2 becomes the master.

If an alert is created as it is, two alerts will be created for the same event. So I am trying to make the same event into one using dedup.

There is a message in the log, only the number changes.

Error message ××× occur

I want to create field to use dedup.
I know it is wrong but I want to do like this one.

message = "Error message \ d \ d \ d occur"
| dedup message

I can't come up with a way.

Could you help me?

Thank you.

0 Karma
Reply

aholzel
Communicator
‎10-04-2019 01:44 AM

If the number changes than the message is not the same. That is why you still see both messages. What you can do is a replace, to remove the number and than do the dedup. something like this based on the layout of the message field you provided:

| eval message=replace(message, "([^\d]*)(\d*\s*\d*\s*\d*)(.*)","\1\3")
0 Karma
Reply

Sfry1981
Communicator
‎10-04-2019 12:47 AM

Hi @nanachu

Does what you state about the dedup not work as this should eliminate any duplicate messages and always just pick one from the first host?

Also on the alert you can add a throttle so the same alert is not triggered twice?

You also mentioned about regular expression in the log message. Do you mean you have created a regex to extract from the raw data t get this info?

0 Karma
Reply

nanachu
Path Finder
‎10-04-2019 01:51 AM

Thank you for helping me.
Sorry, my English is bad.

I can not create field like
because
|eval message = "Error message * * * occur" does not work.
so, I want to know how to create field that put a regular expression in message.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...