- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multiple expressions in single search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple expressions in single search
I'm trying to combine multiple rex expressions in a single search, but I'm having issues with my syntax. More specifically I'm trying to create a table showing the state of Weblogic application deployments after a JVM restart. We have multiple application deployments so I'd like to gather the information showing status of each application after JVM starts up. A clip from my logs might look like this...
[Jan 19, 2018 6:44:17 PM GMT] [Info] [Deployer] [myhost.com] [my-wls-jvm-name01] [[ACTIVE] ExecuteThread: '15' for queue: 'weblogic.kernel.Default (self-tuning)'] [[WLS Kernel]] [1516387457459] [BEA-149060] [Module myapp.war of application myapp successfully transitioned from STATE_ADMIN to STATE_ACTIVE on server my-wls-jvm-name01.]
[Jan 19, 2018 6:44:17 PM GMT] [Info] [Deployer] [myhost.com] [my-wls-jvm-name01] [[ACTIVE] ExecuteThread: '15' for queue: 'weblogic.kernel.Default (self-tuning)] [[WLS Kernel]] [1516387457442] [BEA-149059] [Module myotherapp.ear of application MyOtherApp Application [Version=11.1.1.1.0] is transitioning from STATE_ADMIN to STATE_ACTIVE on server my-wls-jvm-name01.]
My search looks something likes this...
host=myhost source=/hosting/logs//*.log CASE(Module) *.ear OR *.war | rex "Module (?[^/]+)of*transitioned from (?[^/]+)" | table myapp myappfromto
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about trying this below to have all the relevant things [out of which you can choose what do you want to pick]:
host=myhost source=/hosting/logs//.log CASE(Module) .ear OR *.war
| rex "\[Module\s*(?<myWar>[\S]+) of application (?<myApp>[\S]+) (?<action>.+) from (?<prevState>[\S]+) to (?<curState>[\S]+) on server (?<server>[^\]]+)"
| table myWar, myApp, action, prevState, curState, server
See extraction here
A better extraction which will ensure that spaces don't tumble the query can be seen here and using that your query shall look like as follows:
host=myhost source=/hosting/logs//.log CASE(Module) .ear OR *.war
| rex "\[Module\s*(?<myWar>[\S]+)\s*of\s*application\s*(?<myApp>[\S]+)\s*(?<action>.+)\s*from\s*(?<prevState>[\S]+)\s*to\s*(?<curState>[\S]+)\s*on\s*server\s*(?<server>[^\]]+)"
| table myWar, myApp, action, prevState, curState, server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gokadroid,
actually the rex command isn't completed like this.
please do
| rex field=_raw "\[Module\s*(?<myWar>[\S]+)\s*of\s*application\s*(?<myApp>[\S]+)\s*(?<action>.+)\s*from\s*(?<prevState>[\S]+)\s*to\s*(?<curState>[\S]+)\s*on\s*server\s*(?<server>[^\]]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@horsefez
Please read the documentation here below:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex#Optional_arguments
What you are asking me to do is "optional" and anyways field is always taken _raw as default.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh, wow... didn't know that 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we always learn something new with Splunk!!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
