extract fields not working

skjelmose · ‎08-13-2013

Hi there,

I have an errp log from aix that i want to process and determine on with side of the cluster we had problems.

The log file extracted:

Date/Time:       Mon Aug 12 12:42:53 CEST 2013

Sequence Number: 383812
Machine Id: xxx
Node Id: xxx
Class: H
Type: PERM
WPAR: Global
Resource Name: hdisk1
Resource Class:
Resource Type:
Location:
VPD:
Manufacturer................xxx
Machine Type and Model......xxx
ROS Level and ID............5773
Serial Number...............xxx
Part Number.................xxx
EC Level....................xxx
LIC Node VPD................xxx
Device Specific.(Z0)........xxx
Device Specific.(Z1)........xxx
Device Specific.(Z2)........xxx
Device Specific.(Z3)........xxx
Device Specific.(Z4)........xxx
Device Specific.(Z5)........xxx
Device Specific.(Z6)........xxx

Description
PATH HAS FAILED

Probable Causes
ADAPTER HARDWARE OR CABLE
DASD DEVICE

Failure Causes
UNDETERMINED

    Recommended Actions
    PERFORM PROBLEM DETERMINATION PROCEDURES
    CHECK PATH

Detail Data
PATH ID
1
SENSE DATA
0600 0000 0000 0004 0000 0000 0000 0000 0000 0000 0000 0000 0200 0500 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000

The line I am interested are these 2

EC Level....................105283

EC Level....................105278

But unfortunatly I can see these lines when I choose Extract Fields

Date/Time: Mon Aug 12 12:43:53 CEST 2013
Sequence Number: 383782
Machine Id: xxx
Node Id: xxx
Class: H
Type: PERM
WPAR: Global
Resource Name: hdisk18
Resource Class:
Resource Type:
Location:
VPD:
Manufacturer................xxx
Machine Type and Model......xxx
ROS Level and ID............5773

Point is that I want to make a search for "PATH HAS FAILED" and from my field sort by which side of the mirror that failed (105283 OR 105278) and to some graphs.

skjelmose · ‎08-13-2013

Hi there,

Well it seems like thats what im looking for but how am i supposed to write it in the search bar:

index = aix "PATH HAS FAILED" | rex _raw (?<=EC Level.{20})d+ or ????

Thanks for your help so far greatly appreciated.

lcrielaa · ‎08-13-2013

The following regex will find any digit at the end of "EC Level" and 20 dots.

(?<=EC Level\.{20})\d+

If you search for events containing "PATH HAS FAILED" and then use the above regex to extract the needed field, you could use that to send alerts or build graphs.

Is this what you were looking for?

lcrielaa · ‎08-15-2013

index=aix "PATH HAS FAILED" | rex field=_raw "(?<=EC Level.{20})(?\d+)"

This'll give you a field in the fieldpicker called "EC_Level" that'll match the EC Level number. You may have to tweak it.

If this answer helped you, please accept it.

skjelmose · ‎08-15-2013

Hi again,

Am I supposed to write it in the search bar:
index = aix "PATH HAS FAILED" | rex _raw (?<=EC Level.{20})d+ or ???? 🙂

skjelmose · ‎08-13-2013

Hi there,
Well it seems like thats what im looking for but how am i supposed to write it in the search bar:
index = aix "PATH HAS FAILED" | rex _raw (?<=EC Level.{20})d+ or ????
Thanks for your help so far greatly appreciated.

extract fields not working

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes