Splunk Search

how to define a generic sourcetype regex for service status

ashraf_sj
Explorer

Hi, I have a script which can pull the service status for each of the service,

I have defined it to be a common sourcetype,

LINBREAK - regex pattern

 

([\r\n]+)\w+\=\"\w+\"\,\w+\=\"\w+\"\,\w+\=\d\,\w+\=\"\w+\"

 

 

on the script it would output as below sample

 

service_name="XXXX",os_service="jboss",status_value=1,status="Running"

 

 

It was alright until I started monitoring microservices which breaks the above pattern on the os_service field

Sample output,

If you see the issue here, the os_service now has "-" in between and it varies for each of the sub services or os_service,. Is there any generic way to capture anything under os_service with a common regex

so if we pass any os_service name it would handle both the normal os_service as above in example and also be used for microservices os_service. 

 

service_name="Microservices",os_service="xx-xx-service",status_value=1,status="Running"
service_name="Microservices",os_service="xxx-application-service",status_value=1,status="Running"
service_name="Microservices",os_service="buxx-service",status_value=1,status="Running"
service_name="Microservices",os_service="xx-cuxxxxxx-service",status_value=1,status="Running"
service_name="Microservices",os_service="xxxx-organisation-service",status_value=1,status="Running"
service_name="Microservices",os_service="xxxx-event-service",status_value=1,status="Running"
service_name="Microservices",os_service="coxx-xxx-check-service",status_value=1,status="Running"
service_name="Microservices",os_service="xxx-bxx-service",status_value=1,status="Running"
service_name="Microservices",os_service="xxx-pxxx-sanXXXXX-service",status_value=1,status="Running"
service_name="Microservices",os_service="xxx-core-application-service",status_value=1,status="Running"
service_name="Microservices",os_service="xxx-core-cuxxxxxx-service",status_value=1,status="Running"
service_name="Microservices",os_service="xxx-core-organisation-service",status_value=1,status="Running"
service_name="Microservices",os_service="xxx-core-event-service",status_value=1,status="Running"
service_name="Microservices",os_service="xxx-core-xxx-check-service",status_value=1,status="Running"
service_name="Microservices",os_service="gateway-service",status_value=1,status="Running"
service_name="Microservices",os_service="xxx-bxx-service",status_value=1,status="Running"

 

 

Labels (1)
Tags (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust
Why LINEBREAKER cannot be as normally? Can you post sample of your raw log data?
r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust
Why LINEBREAKER cannot be as normally? Can you post sample of your raw log data?
r. Ismo

ashraf_sj
Explorer
Spoiler
@isoutamo . true the default line breaker should do the trick.

Have removed the pattern and left with the default line breaker now and looks to work perfectly. I did over complicate a simple solution. thanks
LINE_BREAKER=([\r\n]+)​
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...