Solved: Searching string with patterns

akki2428 · ‎10-23-2019

Hi, I would want to search for all results for this specific string pattern

'record has not been created for id XXXXXXXXXX,XXXXXXXXXX in DB'

Note that:
XXXXXXXXXX is a variable value, always of 10 character.
Sample text: 'record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB'
Any help would be highly appreciated. Thanks

whrg · ‎10-23-2019

Hello @akki2428,

Check out the regex command:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| regex _raw="record has not been created for id \w{10},\w{10} in DB"

Somewhat more flexible, you could also extract the ID as new fields and filter on these fields:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| rex field=_raw "record has not been created for id (?<id1>\w+),(?<id2>\w+) in DB"
| eval len_id1=len(id1) | eval len_id2=len(id2)
| search len_id1=10 len_id2=10

View solution in original post

whrg · ‎10-23-2019

Hello @akki2428,

Check out the regex command:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| regex _raw="record has not been created for id \w{10},\w{10} in DB"

Somewhat more flexible, you could also extract the ID as new fields and filter on these fields:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| rex field=_raw "record has not been created for id (?<id1>\w+),(?<id2>\w+) in DB"
| eval len_id1=len(id1) | eval len_id2=len(id2)
| search len_id1=10 len_id2=10

akki2428 · ‎10-23-2019

Thanks @whrg , I tried using this command. It returns record just for id x1IoGPTIBP. All other records are missed.

whrg · ‎10-23-2019

@akki2428 The search query above using makeresults creates only one record for testing purposes. Your search should be something like this:

index=yourindex sourcetype=...
| regex _raw="record has not been created for id \w{10},\w{10} in DB"

If that does not work, perhaps you could post some other records.

akki2428 · ‎10-23-2019

Sorry for being a splunk noob @whrg . This works as expected. Thanks

akki2428 · ‎10-23-2019

Hi @whrg . If instead of length, I want to compare if both IDs are equal, then just |search id1=id2 should work? I tried but it is not returning any result

whrg · ‎10-24-2019

The search command's syntax is FIELD=VALUE. So |search id1=id2 will filter for the field id1 containing the string "id2".

You want to use where instead of seach. where evaluates boolean expressions. Try: |where id1==id2

This should also work:

| regex _raw="record has not been created for id (\w{10}),\1 in DB"

akki2428 · ‎10-29-2019

Hi @whrg , My search string is now - "record failed (state error) for ID x1IoGPTIBP". It doesn't extract the id I guess because of (state error) included in search string. How can we escape this.

| makeresults | eval _raw="record  failed (state error) for  ID x1IoGPTIBP"
 | rex field=_raw "record  failed (state error) for  ID (?<id1>\w+)"
 | table id1

whrg · ‎11-01-2019

Hello @akki2428, use back slashes to escape special characters:

| makeresults | eval _raw="record  failed (state error) for  ID x1IoGPTIBP"
| rex field=_raw "record  failed \(state error\) for  ID (?<id1>\w+)"
| table id1

mydog8it · ‎10-23-2019

The proposed search uses "makeresults" to be the data generator. You will need to provide the data generator part of the command to replace the "makeresults portion of the suggested search. If you create a search to pipe to the regex it should match more than the two you provided.

Searching string with patterns

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)