I have below two events which I hav separated by "=" line for better view.I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :
S:/PCTOOLS/085/CommLend/Comments/ad_hoc.ldb
S:/PCTOOLS/085/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/005/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/061/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/084/CommLend/Comments/romcomm.ldb
7/31/18
8:15:01.000 PM
S:/PCTOOLS/085/CommLend/Comments/ad_hoc.ldb
S:/PCTOOLS/085/CommLend/Comments/romcomm.ldb
Script Information:
Script LdbFileCheckerWE run on Admin Server: SAT1MVMAP263 and creates log at location:D:/PCTOOL/Logs/LDB/LdbFileLogsWE.txt
host = SAT1MVMAP263 source = D:\PCTOOL\Logs\LDB\LdbFileLogsWE.txt sourcetype = auto_preprod_ldb_log
===============================================================================================
7/31/18
8:15:00.000 PM
2018/07/31 19:15:00
Hello Ally\x96Hosting Windows Team,
Kindly refer below path,Server details and close below open user sessions:
Server Name: USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM
S:/PCTOOLS/005/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/061/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/084/CommLend/Comments/romcomm.ldb
How to do this?
I have used the below regex but it extracts only two:
rex field=_raw "(?<>S:\/.*)"
I believe you just need to add max_match=0
to your | rex
line, so that multiple copies of the regex match can occur in a single event.
Hi,
Can you please try using the below, this will give you the count of that keyword appear in logs.
| rex field=_raw "(?i)\W(?PUSPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM)\W" | rename general_exception_type as Exception-Type| stats count by host, source,sourcetype, Exception-Type
Please try do let us know if that works.
I believe you just need to add max_match=0
to your | rex
line, so that multiple copies of the regex match can occur in a single event.
thanks @DalJeanis, this works, but wanted to know why this was required. I have used regex previously for other patterns but never required this
@abhi04 - if a pattern is to match once, that parameter is not required. However, to use the same match multiple times in the same event, that parameter must be present. The other times that you didn't need it were probably because you were matching patterns that only mattered once.
Hi abhi04,
you could try something like this:
(?<file>\w:\/[^ ]*\.ldb)
that you can test at https://regex101.com/r/quFBpb/1
Bye.
Giuseppe
This is not working
@cusello
Hello,
Can you please explain more about this "I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :"
Also, there is no name for your name-capturing group in rex. Try this, rex field=_raw "^(?<put_some_fieldname>S:\/.*)"
@nittala_surya, when I am adding the name _capture it wont show here, so you can assume any name in the <> .
Also the regex quoted by you does not work.
@abhi04, Firstly, I used the same regex (with ) you gave and it worked fine against your sample data. Did you check for the field under "Interesting Fields" section?
Secondly, you did not answer my question above. What do you mean by this "I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :" Do you want to extract the lines if event has "Server Name" only?
You ignore the comment ""I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :".
I want to extract the lines with Server Name mentioned or not.
In that case the regex should definitely work! Please go to https://regex101.com/r/s96xpm/1 to validate regex against your sample.
And, I am still unsure of what your question is. Because, you have a working regex in your initial question. Can you explain where you're facing trouble?
@nittala_surya - Yes, the regex is working fine when I tested in https://regex101.com/r/s96xpm/1 but wont extract all the lines in Splunk.