Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Searching the log pattern

keshab
Path Finder
‎11-07-2011 12:11 PM

2011-11-07 13:25:35,145 FE (Exe 45) (pid 11788) destroyed

2011-11-07 13:25:35,152 PNG.exe (Exe 64) (pid 17286) destroyed

2011-11-07 13:25:35,158 K (Exe 44) (pid 11706) destroyed

2011-11-07 13:25:35,160 Kernel 44 released

2011-11-07 13:25:39,976 FE (Exe 66) initialized

2011-11-07 13:25:41,386 K (Exe 65) initialized

2011-11-07 13:39:14,750 Kernel 47 acquired

2011-11-07 13:39:16,139 PNG.exe (Exe 67) initialized

2011-11-07 13:49:27,829 FE (Exe 48) (pid 12912) destroyed

2011-11-07 13:49:27,838 PNG.exe (Exe 67) (pid 17786) destroyed

2011-11-07 13:49:27,868 K (Exe 47) (pid 12830) destroyed

2011-11-07 13:49:27,869 Kernel 47 released

2011-11-07 13:49:27,982 FE (Exe 69) initialized

2011-11-07 13:49:29,524 K (Exe 68) initialized

2011-11-07 13:58:19,630 Kernel 49 acquired

2011-11-07 13:58:20,147 PNG.exe (Exe 70) initialized

In the above log I only to search for log lines that has K and ends with initialized or destroyed. So my search result should be

2011-11-07 13:25:35,158 K (Exe 44) (pid 11706) destroyed

2011-11-07 13:25:41,386 K (Exe 65) initialized

2011-11-07 13:49:27,868 K (Exe 47) (pid 12830) destroyed

2011-11-07 13:49:29,524 K (Exe 68) initialized

What might be the possible search query??

Tags (1)
0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-08-2011 01:13 PM

I noticed that you missed a "\" in your last comment in front of the first "s+". I tested the regex with your data and it worked. Make sure that your search is similar to the following:

sourcetype=system | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")
0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-08-2011 09:20 AM

Did you replace the sourcetype= with your unique sourcetype of your data? For example, 

sourcetype=system | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")

You can also replace the sourcetype with either the source or host for instance, ie:

source=kernel.log | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")

host=mysystem123 | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")
0 Karma
Reply

keshab
Path Finder
‎11-08-2011 01:09 PM

Problem is with this rex field=_raw "<kernel>\s+(?[^$]+)$" It's not matching my any of log pattern

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-07-2011 01:16 PM

Maybe this would work but I am not sure what your field extraction is looking like:

sourcetype=<yoursourcetype> | rex field=_raw "\<kernel\>\s+(?<message>[^$]+)$" | search (message="*initialized" OR message="*destroyed")
Reply

keshab
Path Finder
‎11-08-2011 09:15 AM

It didn't work..didn't return anything at all

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...