How to extract a field and send an email alert?

macadminrohit · ‎03-13-2017

Hi,

I have the below event for which I need to get an alert whenever the event occurs and get the version of the file .

[2017-03-13T16:16:07-04:00] INFO: Processing remote_file[/opt/chef/cache/openupf-abdirect-web-17.03.00.01-20170313.032310-34-config.tar] action create (AB_CD_Appserver::deploy line 21)

The highlighted part is the version of the file which I need to get in the email. I created a field transformation and get an alert mentioning the version.

Thanks
Rohit

woodcock · ‎03-13-2017

Like this:

Your Base Search Here | rex "(?<file_version>\d+\.\d+\.\d+\.\d+[^\]]+)" | table _raw file_version

macadminrohit · ‎03-14-2017

I Used the Regex builder provided by splunk and it gives the below regex expression:

(?=[^o]*(?:opt/chef/cache/openupf-abdirect-web-|o.*opt/chef/cache/openupf-hldirect-web-))^(?:[^\-\n]*\-){6}(?P\d+\.\d+\.\d+\.\d+\-\d+\.\d+\-\d+\-\w+\.\w+)

My question is how do use the new field created by it??

woodcock · ‎03-14-2017

Like this:

    Your Base Search Here | rex "(?=[^o]*(?:opt/chef/cache/openupf-abdirect-web-|o.*opt/chef/cache/openupf-hldirect-web-))^(?:[^\-\n]*\-){6}(?<file_version>\d+\.\d+\.\d+\.\d+\-\d+\.\d+\-\d+\-\w+\.\w+) | table _raw file_version

rafamss · ‎03-13-2017

You could use a regex for extract the field in search time like this *\d{2}.\d{2}.\d{2}.\d{2}-\d{8}.\d{6}-\d{2}-\w*.\w*.* and then, create a Alert that send the e-mail.

How to extract a field and send an email alert?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life