regex exclude nth word in the event

ppatkar · ‎03-03-2021

I want to ignore the actual file name in my exception events so I can group the exceptions .

For example, regex on below event should extract only "Error File not found !!!" and ignore the actual filename in between.

Error File abracadabra.gz not found !!!

Can you please advise on how to exclude this word in between the fixed format of words .

Thank you.

ITWhisperer · ‎03-03-2021

To drop the 3rd word

| rex mode=sed "s/^(\S+\s)(\S+\s)(\S+\s)/\1\2/g"

or for more precision

| rex mode=sed "s/^(Error File )(\S+\s)(not found)/\1\3/g"

manjunathmeti · ‎03-03-2021

Use rex with sed mode:

| makeresults | eval test="Error File abracadabra.gz not found !!!" | rex field=test mode=sed "s/\s\w+\.(gz|tgz|zip)//g"

If this reply helps you, an upvote/like would be appreciated.

ppatkar · ‎03-03-2021

HI @manjunathmeti @ITWhisperer , Thank you for your quick reply . I have a followup question as I intend to use capture group to gather errors . My existing search is something like below :

index=*  "IOError" OR  "file does not exist"  | 
rex field=_raw max_match=1 "IOError:(?<IO_ERROR>.*)" |
rex field=_raw max_match=1 "MESSAGE=(?<FILE_ERROR>file does not exist[^\d|]+)" |
... | eval ERROR_LOG = coalesce(IO_ERROR,FILE_ERROR...)

Can I incorporate the sed mode in this type of capture group or is there any other way ?

Thank you for all your help

ITWhisperer · ‎03-03-2021

rex either works in capture mode or sed mode - you could use a separate rex to edit the captured field

regex exclude nth word in the event

regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!