Splunk Search

What will be the Regex for creating the below alert?

abhi04
Communicator

I have below two events which I hav separated by "=" line for better view.I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :

S:/PCTOOLS/085/CommLend/Comments/ad_hoc.ldb
S:/PCTOOLS/085/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/005/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/061/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/084/CommLend/Comments/romcomm.ldb

7/31/18
8:15:01.000 PM

S:/PCTOOLS/085/CommLend/Comments/ad_hoc.ldb
S:/PCTOOLS/085/CommLend/Comments/romcomm.ldb


Script Information:
Script LdbFileCheckerWE run on Admin Server: SAT1MVMAP263 and creates log at location:D:/PCTOOL/Logs/LDB/LdbFileLogsWE.txt
host = SAT1MVMAP263 source = D:\PCTOOL\Logs\LDB\LdbFileLogsWE.txt sourcetype = auto_preprod_ldb_log

===============================================================================================

7/31/18
8:15:00.000 PM

2018/07/31 19:15:00
Hello Ally\x96Hosting Windows Team,
Kindly refer below path,Server details and close below open user sessions:
Server Name: USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM
S:/PCTOOLS/005/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/061/CommLend/Comments/romcomm.ldb
S:/PCTOOLS/084/CommLend/Comments/romcomm.ldb

How to do this?

I have used the below regex but it extracts only two:

rex field=_raw "(?<>S:\/.*)"

Tags (2)
0 Karma
1 Solution

DalJeanis
Legend

I believe you just need to add max_match=0 to your | rex line, so that multiple copies of the regex match can occur in a single event.

View solution in original post

0 Karma

wanip
Explorer

Hi,

Can you please try using the below, this will give you the count of that keyword appear in logs.

| rex field=_raw "(?i)\W(?PUSPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM)\W" | rename general_exception_type as Exception-Type| stats count by host, source,sourcetype, Exception-Type

Please try do let us know if that works.

0 Karma

DalJeanis
Legend

I believe you just need to add max_match=0 to your | rex line, so that multiple copies of the regex match can occur in a single event.

0 Karma

abhi04
Communicator

thanks @DalJeanis, this works, but wanted to know why this was required. I have used regex previously for other patterns but never required this

0 Karma

DalJeanis
Legend

@abhi04 - if a pattern is to match once, that parameter is not required. However, to use the same match multiple times in the same event, that parameter must be present. The other times that you didn't need it were probably because you were matching patterns that only mattered once.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi abhi04,
you could try something like this:

(?<file>\w:\/[^ ]*\.ldb)

that you can test at https://regex101.com/r/quFBpb/1

Bye.
Giuseppe

0 Karma

abhi04
Communicator

This is not working
@cusello

0 Karma

sudosplunk
Motivator

Hello,

Can you please explain more about this "I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :"
Also, there is no name for your name-capturing group in rex. Try this, rex field=_raw "^(?<put_some_fieldname>S:\/.*)"

0 Karma

abhi04
Communicator

@nittala_surya, when I am adding the name _capture it wont show here, so you can assume any name in the <> .
Also the regex quoted by you does not work.

0 Karma

sudosplunk
Motivator

@abhi04, Firstly, I used the same regex (with ) you gave and it worked fine against your sample data. Did you check for the field under "Interesting Fields" section?
Secondly, you did not answer my question above. What do you mean by this "I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :" Do you want to extract the lines if event has "Server Name" only?

0 Karma

abhi04
Communicator

You ignore the comment ""I want to extract the below mentioned lines by Server Name "USPLZ1MVPFP001.NAO.GLOBAL.GMACFS.COM" :".

I want to extract the lines with Server Name mentioned or not.

0 Karma

sudosplunk
Motivator

In that case the regex should definitely work! Please go to https://regex101.com/r/s96xpm/1 to validate regex against your sample.
And, I am still unsure of what your question is. Because, you have a working regex in your initial question. Can you explain where you're facing trouble?

0 Karma

abhi04
Communicator

@nittala_surya - Yes, the regex is working fine when I tested in https://regex101.com/r/s96xpm/1 but wont extract all the lines in Splunk.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...