Splunk Search

Using REX where unique data is behind the required string

PhilAndreotti
Explorer

Hi

I am quite new to Splunk and REX.

I am using the SNMP modular input app to poll one of my servers for multiple things. One value I poll for is the RAM used for each process. This is doing a full walk on the MIB I have provided and returns a long event which includes all the running processes. Below is an extract of the event (there are no lone breaks):

SNMPv2-SMI::mib-2."25.4.2.1.2.1064" = "ext4-dio-unwrit" SNMPv2-SMI::mib-2."25.4.2.1.2.1065" = "kworker/9:2" SNMPv2-SMI::mib-2."25.4.2.1.2.1070" = "VpnMonitor" SNMPv2-SMI::mib-2."25.4.2.1.2.1081" = "kworker/10:2" SNMPv2-SMI::mib-2."25.4.2.1.2.1113" = "sshd" SNMPv2-SMI::mib-2."25.4.2.1.2.1115" = "rsyslogd"

Each process has a unique PID, but this will change with every reboot. I need to use the above to extract the PID of a specific number of processes, then use that value to run another query to get its memory utilisation. I haven't yet figured out how I will do that either but one step at a time...

Using the above example, I am trying to extract the PID for rsyslogd. The PID is the final 4 digits in the long number beforehand, however that number is always preceeded with the same set of numbers of 25.4.2.1.2.

I have run a selection of REX options but because 25.4.2.1.2. is repeated so many times in the event, the return is greedy and either grabs the 1st or last depending on my expression. I can't get the REX to take in to account that I need the 4 digits after 25.4.2.1.2. but only its followed by " = "rsyslogd"

An example of my expression is:

search | rex "25.4.2.1.2.(?P<PID>\d{4})(\"\s=\s\"rsyslogd)" | table PID

I have tried many variations along the lines of the above but it will always ignore the following text.

Can anyone offer any suggestions for how I can get it to find my unique value?

Thanks in advance

Tags (1)
0 Karma

PhilAndreotti
Explorer

Slightly embarrassing but user error - it is working! Thank you both for your answers.

I was looking for a specific PID relating to a specific process. While I was working on this, the server was rebooted (not by me) and as such, the PID I was looking for changed so I was looking for the wrong answer.

I was definitely getting the wrong answer for several hours - it was probably only the last 20mins before I submitted the question on the forum that I was actually getting the right answer. On a brighter note, I learned a lot through the process!

Thanks again for your help - it did help as it made me double check everything.

0 Karma

aweitzman
Motivator

As an aside, @richgalloway is correct, you don't need the preceding P, since it's basically ignored. You also don't need the additional parentheses around the part following the PID matching group.

0 Karma

aweitzman
Motivator

I tried that, it works fine, too.

| gentimes start=-1 | eval _raw="SNMPv2-SMI::mib-2.\"25.4.2.1.2.1064\" = \"ext4-dio-unwrit\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1065\" = \"kworker/9:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1070\" = \"VpnMonitor\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1081\" = \"kworker/10:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1113\" = \"sshd\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1115\" = \"rsyslogd\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1116\" = \"sshd\"" | rex "25.4.2.1.2.(?<PID>\d{4})(\"\s=\s\"rsyslogd)" | table PID

Do you get 1116 when you cut/paste the above query? I correctly get 1115.

PhilAndreotti
Explorer

Thank you both for the replies.

richgalloway - I have escaped the dots and tried without the P - no difference.

aweitzman - perhaps you are getting the correct result because the example I gave is a subset. If you ran the same while searching for the process"sshd" - i.e. NOT the last process in the list I don't think it would work. I have an extract of probably 100+ processes running on my Linux server.

0 Karma

aweitzman
Motivator

Your rex works perfectly for me. Are you certain that this string is in your raw data?

| gentimes start=-1 | eval _raw="SNMPv2-SMI::mib-2.\"25.4.2.1.2.1064\" = \"ext4-dio-unwrit\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1065\" = \"kworker/9:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1070\" = \"VpnMonitor\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1081\" = \"kworker/10:2\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1113\" = \"sshd\" SNMPv2-SMI::mib-2.\"25.4.2.1.2.1115\" = \"rsyslogd\"" | rex "25.4.2.1.2.(?P<PID>\d{4})(\"\s=\s\"rsyslogd)" | table PID

richgalloway
SplunkTrust
SplunkTrust

Your rex expression worked fine for me on regexr.com using your sample data. Have you tried escaping the dots or using ?<PID> instead of ?P<PID>?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...