Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

stream rex substitution to stats

ddebroy
Engager
‎09-07-2021 11:16 AM

I have the following rex substitution in a query to aggregate various log messages (with the string Liveness and Readiness):

 

index=k8s ("event.go") AND (kind="Pod") AND (type="Warning" OR type="Error") source="*kubelet.log" | rex mode=sed "s/(object=\"[^\s]+\")(.*)Liveness(.*)/\1 message=\"Liveness Error\"/g" | rex mode=sed "s/(object=\"[^\s]+\")(.*)Readiness(.*)/\1 message=\"Readiness Error\"/g"| dedup object message

 

The above appears to work correctly and provide the desired result.

For example, the above transforms events like below:

 I0903 17:12:49.308289 2024433 event.go:211] "Event occurred" object="namespace1/podfoo" message="Readiness probe failed: + cd /sandbox\\n++ curl --output /dev/null --max-time 28 --silent --write-out '%{http_code}' http://0.0.0.0:20012/heartbeat\\n+ ret=000\\n+ for expected_status in 200\\n+ [[ 000 == 200 ]]\\n+ [[ '' == \\\\t\\\\r\\\\u\\\\e ]]\\n+ false\\n"

nicely into  the following:

I0903 17:12:49.308289 2024433 event.go:211] "Event occurred" object="namespace1/podfoo" message="Readiness Error"


However when I try to stream the above query into stats ("stats count by message"), the transformed events generated as part of the rex substitution disappears for some reason and stats seem to be acting on the original event messages (as if the rex sed had no effect).

 

index=k8s ("event.go") AND (kind="Pod") AND (type="Warning" OR type="Error") source="*kubelet.log" | rex mode=sed "s/(object=\"[^\s]+\")(.*)Liveness(.*)/\1 message=\"Liveness Error\"/g" | rex mode=sed "s/(object=\"[^\s]+\")(.*)Readiness(.*)/\1 message=\"Readiness Error\"/g"| dedup object message | stats count by message

 

With the above, stats appears to aggregate on the original message contents of the events rather than the output of the rex substitution. For example, I see:

message                                                                 count
Readiness probe errored: rpc error: code = Unknown ...                  1059
Readiness probe failed: HTTP probe failed with statuscode: 503          2003


rather than the substituted message fields aggregated to something along the lines of 

message                                                               count
Readiness Error                                                       3062

 


How can I get the output of the rex sed (like in the example above) to pass the substituted message fields in the events to stats?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2021 11:52 AM

rex mode=sed has modified the _raw field, not the message field - either perform the rex on the message field (assuming has already been extracted), or re-extract the message field from the updated version of _raw

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2021 11:52 AM

rex mode=sed has modified the _raw field, not the message field - either perform the rex on the message field (assuming has already been extracted), or re-extract the message field from the updated version of _raw

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...