×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
sysamit
Engager
Member since: ‎01-12-2021
‎01-15-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎01-12-2021
View All

Re: Combining 2 regex searches to a single one bre...

by in Splunk Search
‎01-13-2021 10:06 PM
‎01-13-2021 10:06 PM
Thanks @scelikok for your suggestions. I also figured out that garbled output was due to combining the two searches, two regex runs on whole dataset. ... View more

Combining 2 regex searches to a single one breaks ...

by in Splunk Search
‎01-12-2021 09:51 AM
‎01-12-2021 09:51 AM
I have an index cloud_stats on which I need to create a daily error count by source report, so that we can work on the error with max counts first and then others.  I have 4 error keywords to search as below : DailyErrorLogtTrigger Check if cloud return error or not Tracking Error Maualerrormessage For 1,2 I created below search that works perfectly. index="cloud_stats" "*ERROR*" | search ( "*DailyErrorLogtTrigger*" OR "*check if Cloud return error or not*" ) | rex field=_raw "INFO(.+(?=Step2)|[\s>]+)(?<Error>.+)" | table index source Error | stats count(Error) AS COUNT BY index source Error | sort -COUNT Output : And For 3,4 created below search, that also works perfectly. index="cloud_stats" "*ERROR*" | search ( "*Tracking Error*" OR "*Maualerrormessage*" ) | rex field=_raw "(?<Error>DisplayName[^,]+Tracking[^,]+)" | rex field=_raw "ManualStatsInfo.*,(?<Error>.*)" | table index source Error | stats count(Error) AS COUNT BY index source Error | sort -COUNT Output : Issues arises when I want to combine both of the above searches into one like below.  index="cloud_stats" "*ERROR*" | search ( "*Tracking Error*" OR "*Maualerrormessage*" OR "*DailyErrorLogtTrigger*" OR "*check if Cloud return error or not*" ) | rex field=_raw "(?<Error>DisplayName[^,]+Tracking[^,]+)" | rex field=_raw "ManualStatsInfo.*,(?<Error>.*)" | rex field=_raw "INFO(.+(?=Step2)|[\s>]+)(?<Error>.+)" | table index source Error | stats count(Error) AS COUNT BY index source Error | sort -COUNT   What happens here is that after combining the two searches, Warning part - I get error in rex command pointing to error in rex from the Ist search initially Frustrating part - And for some reason, second search (on Tracking error) starts to output the complete event ( in the red box in output) instead of filtered out keywords (in the green box in output) for some cases. Output : Those events are a page long and I don't want to create report over such 100's of events where each event is a page long. That will make the error trend analysis more cumbersome.  Can anyone please help on to how to get only the words that are filtered from regex (as in green box)  instead of complete event (as in red box)? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-15-2021 07:00 AM
Karma given to
View All