Splunk Search

search string containing alphanumeric characters and square brackets

raghul725
Engager

Hello,

I have the following lines in logs


[Kafka Server 4], shut down completed (kafka.server)

[Kafka Server 4], start completed (kafka.server)

The number before ] could be anything between 0-9


So I am trying the following

index=* namespace=XXXXXX | search ["Kafka Server"\s\d]\,\ss\w+

And I am expecting the result to be

[Kafka Server 4], shut
[Kafka Server 4], start

But I am not getting the desired result


While I try

index=* namespace=XXXXXX | search ["Kafka Server"
I get

[Kafka Server 4], shut down completed (kafka.server)

[Kafka Server 4], start completed (kafka.server)

[Kafka Server 5], shut down completed (kafka.server)

[Kafka Server 6], start completed (kafka.server)

...... etc

Could someone assist me please?

Regards

Labels (3)
0 Karma
1 Solution

to4kawa
Ultra Champion

sample:

| makeresults
| eval _raw="[Kafka Server 4], shut down completed (kafka.server)
[Kafka Server 4], start completed (kafka.server)"
| multikv noheader=t
| fields _raw
| search TERM("Kafka")  TERM("Server") ((TERM("shut") TERM("down")) OR TERM("start")) TERM("completed")
| rex "(?<server>\[.*\]), (?<status>.*) completed"

Recommend:

index=* namespace=XXXXXX TERM("Kafka")  TERM("Server") ((TERM("shut") TERM("down")) OR TERM("start")) TERM("completed")
| rex "(?<server>\[.*\]), (?<status>.*) completed"
| table _time server status

you don't have to care with []

View solution in original post

to4kawa
Ultra Champion

sample:

| makeresults
| eval _raw="[Kafka Server 4], shut down completed (kafka.server)
[Kafka Server 4], start completed (kafka.server)"
| multikv noheader=t
| fields _raw
| search TERM("Kafka")  TERM("Server") ((TERM("shut") TERM("down")) OR TERM("start")) TERM("completed")
| rex "(?<server>\[.*\]), (?<status>.*) completed"

Recommend:

index=* namespace=XXXXXX TERM("Kafka")  TERM("Server") ((TERM("shut") TERM("down")) OR TERM("start")) TERM("completed")
| rex "(?<server>\[.*\]), (?<status>.*) completed"
| table _time server status

you don't have to care with []

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The search command does not support regular expressions. The regex command and searchmatch functions (among others) do, however.

Try this.

index=* namespace=XXXXXX "[Kafka Server*" | regex "\[Kafka Server\s\d],\ss\w+"

or

index=* namespace=XXXXXX "[Kafka Server*" | where searchmatch("\[Kafka Server\s\d],\ss\w+")
---
If this reply helps you, an upvote would be appreciated.

raghul725
Engager

Nice thanks Richgalloway,
Regex works, but for some reason searchmatch does not return any results.

Anyways I can survive with Regex.

Best Regards,

0 Karma

to4kawa
Ultra Champion

searchmatch() matches String , not REGEX
use match()
| where match(_raw,"\[Kafka Server\s\d],\ss\w+")

richgalloway
SplunkTrust
SplunkTrust

Thanks for setting me straight, @to4kawa.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!