Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Searching the log pattern

keshab
Path Finder
‎11-07-2011 12:11 PM

2011-11-07 13:25:35,145 FE (Exe 45) (pid 11788) destroyed

2011-11-07 13:25:35,152 PNG.exe (Exe 64) (pid 17286) destroyed

2011-11-07 13:25:35,158 K (Exe 44) (pid 11706) destroyed

2011-11-07 13:25:35,160 Kernel 44 released

2011-11-07 13:25:39,976 FE (Exe 66) initialized

2011-11-07 13:25:41,386 K (Exe 65) initialized

2011-11-07 13:39:14,750 Kernel 47 acquired

2011-11-07 13:39:16,139 PNG.exe (Exe 67) initialized

2011-11-07 13:49:27,829 FE (Exe 48) (pid 12912) destroyed

2011-11-07 13:49:27,838 PNG.exe (Exe 67) (pid 17786) destroyed

2011-11-07 13:49:27,868 K (Exe 47) (pid 12830) destroyed

2011-11-07 13:49:27,869 Kernel 47 released

2011-11-07 13:49:27,982 FE (Exe 69) initialized

2011-11-07 13:49:29,524 K (Exe 68) initialized

2011-11-07 13:58:19,630 Kernel 49 acquired

2011-11-07 13:58:20,147 PNG.exe (Exe 70) initialized

In the above log I only to search for log lines that has K and ends with initialized or destroyed. So my search result should be

2011-11-07 13:25:35,158 K (Exe 44) (pid 11706) destroyed

2011-11-07 13:25:41,386 K (Exe 65) initialized

2011-11-07 13:49:27,868 K (Exe 47) (pid 12830) destroyed

2011-11-07 13:49:29,524 K (Exe 68) initialized

What might be the possible search query??

Tags (1)
0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-08-2011 01:13 PM

I noticed that you missed a "\" in your last comment in front of the first "s+". I tested the regex with your data and it worked. Make sure that your search is similar to the following:

sourcetype=system | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")
0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-08-2011 09:20 AM

Did you replace the sourcetype= with your unique sourcetype of your data? For example, 

sourcetype=system | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")

You can also replace the sourcetype with either the source or host for instance, ie:

source=kernel.log | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")

host=mysystem123 | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")
0 Karma
Reply

keshab
Path Finder
‎11-08-2011 01:09 PM

Problem is with this rex field=_raw "<kernel>\s+(?[^$]+)$" It's not matching my any of log pattern

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-07-2011 01:16 PM

Maybe this would work but I am not sure what your field extraction is looking like:

sourcetype=<yoursourcetype> | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")
Reply

keshab
Path Finder
‎11-08-2011 09:15 AM

It didn't work..didn't return anything at all

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...