Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Searching the log pattern

keshab
Path Finder
‎11-07-2011 12:11 PM

2011-11-07 13:25:35,145 FE (Exe 45) (pid 11788) destroyed

2011-11-07 13:25:35,152 PNG.exe (Exe 64) (pid 17286) destroyed

2011-11-07 13:25:35,158 K (Exe 44) (pid 11706) destroyed

2011-11-07 13:25:35,160 Kernel 44 released

2011-11-07 13:25:39,976 FE (Exe 66) initialized

2011-11-07 13:25:41,386 K (Exe 65) initialized

2011-11-07 13:39:14,750 Kernel 47 acquired

2011-11-07 13:39:16,139 PNG.exe (Exe 67) initialized

2011-11-07 13:49:27,829 FE (Exe 48) (pid 12912) destroyed

2011-11-07 13:49:27,838 PNG.exe (Exe 67) (pid 17786) destroyed

2011-11-07 13:49:27,868 K (Exe 47) (pid 12830) destroyed

2011-11-07 13:49:27,869 Kernel 47 released

2011-11-07 13:49:27,982 FE (Exe 69) initialized

2011-11-07 13:49:29,524 K (Exe 68) initialized

2011-11-07 13:58:19,630 Kernel 49 acquired

2011-11-07 13:58:20,147 PNG.exe (Exe 70) initialized

In the above log I only to search for log lines that has K and ends with initialized or destroyed. So my search result should be

2011-11-07 13:25:35,158 K (Exe 44) (pid 11706) destroyed

2011-11-07 13:25:41,386 K (Exe 65) initialized

2011-11-07 13:49:27,868 K (Exe 47) (pid 12830) destroyed

2011-11-07 13:49:29,524 K (Exe 68) initialized

What might be the possible search query??

Tags (1)
0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-08-2011 01:13 PM

I noticed that you missed a "\" in your last comment in front of the first "s+". I tested the regex with your data and it worked. Make sure that your search is similar to the following:

sourcetype=system | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")
0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-08-2011 09:20 AM

Did you replace the sourcetype= with your unique sourcetype of your data? For example, 

sourcetype=system | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")

You can also replace the sourcetype with either the source or host for instance, ie:

source=kernel.log | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")

host=mysystem123 | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")
0 Karma
Reply

keshab
Path Finder
‎11-08-2011 01:09 PM

Problem is with this rex field=_raw "<kernel>\s+(?[^$]+)$" It's not matching my any of log pattern

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-07-2011 01:16 PM

Maybe this would work but I am not sure what your field extraction is looking like:

sourcetype=<yoursourcetype> | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")
Reply

keshab
Path Finder
‎11-08-2011 09:15 AM

It didn't work..didn't return anything at all

0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...