Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my regex not matching?

michaelnorup
Communicator
‎03-28-2023 02:45 AM

My regex from the message field looks like this.

 

| rex field=Message "\W(?<Hostname>\S+)\s\w+\W(?<Build>\S+)\s\w+\W(?<CpuCount>\S+)\s\w+\W(?<CpuTotalMhz>\S+)\s\w+\W(?<CpuUsageMhz>\S+)\s\w+\W(?<MemoryTotalMB>\S+)\s\w+\W(?<MemoryUsageMB>\S+)\s\w+\W(?<Version>\S+)" |

 


For some reason it matches and pulls out all the fields from this entry:

 

Message=Hostname=esx-pod1-nprd-112.mad.local Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=142 MemoryTotalMB=1048094.5625 MemoryUsageMB=9086 Version=7.0.3

 


But not from any other entries which could looks like this:

 

Message=Hostname=10.241.192.46 Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=8186 MemoryTotalMB=1048094.55859375 MemoryUsageMB=198624 Version=

 

or 

 

Message=Hostname=esx-cl6-184.mad.local Build=19195723 CPUCount=20 CpuTotalMhz=49880 CpuUsageMhz=672 MemoryTotalMB=294587.2578125 MemoryUsageMB=52530 Version=

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

michaelnorup
Communicator
‎03-28-2023 03:17 AM

It was because "Version" was empty. Fixed that in the script that populated the fields outside of splunk

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

michaelnorup
Communicator
‎03-28-2023 03:17 AM

It was because "Version" was empty. Fixed that in the script that populated the fields outside of splunk

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-28-2023 03:35 AM

Hi @Gr0und_Z3r0 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-28-2023 03:16 AM

Hi @michaelnorup ,

please try this regex:

| rex field=Message "Hostname\=(?<Hostname>[^ ]*)\s+Build\=(?<Build>[^ ]*)\s+CPUCount\=(?<CPUCount>[^ ]*)\s+CpuTotalMhz\=(?<CpuTotalMhz>[^ ]*)\s+CpuUsageMhz\=(?<CpuUsageMhz>[^ ]*)\s+MemoryTotalMB\=(?<MemoryTotalMB>[^ ]*)\s+MemoryUsageMB\=(?<MemoryUsageMB>[^ ]*)\s+Version\=(?<Version>.*)"

Ciao.

Giuseppe 

0 Karma
Reply
Solved! Jump to solution

Gr0und_Z3r0
Contributor
‎03-28-2023 03:02 AM

hi @michaelnorup 

Try this...

| makeresults
| eval Message="Hostname=esx-pod1-nprd-112.mad.local Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=142 MemoryTotalMB=1048094.5625 MemoryUsageMB=9086 Version=7.0.3,Hostname=10.241.192.46 Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=8186 MemoryTotalMB=1048094.55859375 MemoryUsageMB=198624 Version=,Hostname=esx-cl6-184.mad.local Build=19195723 CPUCount=20 CpuTotalMhz=49880 CpuUsageMhz=672 MemoryTotalMB=294587.2578125 MemoryUsageMB=52530 Version="
| makemv Message delim=","
| mvexpand Message
| rex field=Message "Hostname\=(?<Hostname>[\w\-\.]+)\sBuild\=(?<Build>[\d]+)\sCPUCount\=(?P<CPUCount>[\d]+)\sCpuTotalMhz\=(?P<CpuTotalMhz>[\d]+)\sCpuUsageMhz\=(?P<CpuUsageMhz>[\d]+)\sMemoryTotalMB\=(?P<MemoryTotalMB>[\d\.]+)\sMemoryUsageMB\=(?P<MemoryUsageMB>[\d\.]+)\sVersion\=(?P<Version>.*)" 
| table Message Hostname Build CPUCount CpuTotalMhz CpuUsageMhz MemoryTotalMB MemoryUsageMB Version

Gr0und_Z3r0_0-1679997748717.png


~ If the reply helps a karma vote would be appreciated

 

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...