Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using REX where unique data is behind the required string

PhilAndreotti
Explorer
‎08-21-2014 07:51 AM

Hi

I am quite new to Splunk and REX.

I am using the SNMP modular input app to poll one of my servers for multiple things. One value I poll for is the RAM used for each process. This is doing a full walk on the MIB I have provided and returns a long event which includes all the running processes. Below is an extract of the event (there are no lone breaks):

SNMPv2-SMI::mib-2."25.4.2.1.2.1064" = "ext4-dio-unwrit" SNMPv2-SMI::mib-2."25.4.2.1.2.1065" = "kworker/9:2" SNMPv2-SMI::mib-2."25.4.2.1.2.1070" = "VpnMonitor" SNMPv2-SMI::mib-2."25.4.2.1.2.1081" = "kworker/10:2" SNMPv2-SMI::mib-2."25.4.2.1.2.1113" = "sshd" SNMPv2-SMI::mib-2."25.4.2.1.2.1115" = "rsyslogd"

Each process has a unique PID, but this will change with every reboot. I need to use the above to extract the PID of a specific number of processes, then use that value to run another query to get its memory utilisation. I haven't yet figured out how I will do that either but one step at a time...

Using the above example, I am trying to extract the PID for rsyslogd. The PID is the final 4 digits in the long number beforehand, however that number is always preceeded with the same set of numbers of 25.4.2.1.2.

I have run a selection of REX options but because 25.4.2.1.2. is repeated so many times in the event, the return is greedy and either grabs the 1st or last depending on my expression. I can't get the REX to take in to account that I need the 4 digits after 25.4.2.1.2. but only its followed by " = "rsyslogd"

An example of my expression is:

search | rex "25.4.2.1.2.(?P<PID>\d{4})(\"\s=\s\"rsyslogd)" | table PID

I have tried many variations along the lines of the above but it will always ignore the following text.

Can anyone offer any suggestions for how I can get it to find my unique value?

Thanks in advance

Tags (1)
0 Karma
Reply

PhilAndreotti
Explorer
‎08-22-2014 12:17 AM

Slightly embarrassing but user error - it is working! Thank you both for your answers.

I was looking for a specific PID relating to a specific process. While I was working on this, the server was rebooted (not by me) and as such, the PID I was looking for changed so I was looking for the wrong answer.

I was definitely getting the wrong answer for several hours - it was probably only the last 20mins before I submitted the question on the forum that I was actually getting the right answer. On a brighter note, I learned a lot through the process!

Thanks again for your help - it did help as it made me double check everything.

0 Karma
Reply

aweitzman
Motivator
‎08-21-2014 08:47 AM

As an aside, @richgalloway is correct, you don't need the preceding P, since it's basically ignored. You also don't need the additional parentheses around the part following the PID matching group.

0 Karma
Reply

aweitzman
Motivator
‎08-21-2014 08:37 AM

I tried that, it works fine, too.

| gentimes start=-1 | eval _raw="SNMPv2-SMI::mib-2.\"25.4.2.1.2.1064\" = \"ext4-dio-unwrit\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1065\" = \"kworker/9:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1070\" = \"VpnMonitor\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1081\" = \"kworker/10:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1113\" = \"sshd\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1115\" = \"rsyslogd\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1116\" = \"sshd\"" | rex "25.4.2.1.2.(?<PID>\d{4})(\"\s=\s\"rsyslogd)" | table PID

Do you get 1116 when you cut/paste the above query? I correctly get 1115.

Reply

PhilAndreotti
Explorer
‎08-21-2014 08:30 AM

Thank you both for the replies.

richgalloway - I have escaped the dots and tried without the P - no difference.

aweitzman - perhaps you are getting the correct result because the example I gave is a subset. If you ran the same while searching for the process"sshd" - i.e. NOT the last process in the list I don't think it would work. I have an extract of probably 100+ processes running on my Linux server.

0 Karma
Reply

aweitzman
Motivator
‎08-21-2014 08:19 AM

Your rex works perfectly for me. Are you certain that this string is in your raw data?

| gentimes start=-1 | eval _raw="SNMPv2-SMI::mib-2.\"25.4.2.1.2.1064\" = \"ext4-dio-unwrit\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1065\" = \"kworker/9:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1070\" = \"VpnMonitor\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1081\" = \"kworker/10:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1113\" = \"sshd\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1115\" = \"rsyslogd\"" | rex "25.4.2.1.2.(?P<PID>\d{4})(\"\s=\s\"rsyslogd)" | table PID

Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2014 08:16 AM

Your rex expression worked fine for me on regexr.com using your sample data. Have you tried escaping the dots or using ?<PID> instead of ?P<PID>?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...