Splunk Dev

Wildcards in the middle and end of a string

jamesfdally
Explorer

search index=DBG_SYS sourcetype=DBG_SYS msg="Shelf 1 congestion, resource cps level 2." OR msg="Shelf 1 slot * congestion, resource cpu level *"

I have a search that works, but I am getting warnings about having Wildcards in the middle of a string.
Not sure how to avoid this since Slot numbers can be 0-99 and the level can be 0-99 also.
Is it possible to look for
Shelf 1 slot (any integer) congestion, resource cpu level (any integer)

Tags (1)
0 Karma

vnravikumar
Champion

Hi @jamesfdally

Try like

|regex msg="Shelf 1 slot\s(\d{1,2})\scongestion, resource cpu level\s(\d{1,2})" 
0 Karma

jamesfdally
Explorer

I do not understand where I should put this. Should I keep my original search and add this? Then I will still get the same warning on my scheduled search every day. I have an OR statement in my search also so I need more information please.

0 Karma

jamesfdally
Explorer
index=DBG_SYS
sourcetype=DBG_SYS 
msg="Shelf 1 congestion, resource cps level 2." 
OR msg="Shelf 1 slot * congestion, resource cpu level *" 
    | rex field=msg "cpu level+\s(?<level>\d+)" 
    | rex field=msg "cps level+\s(?<level>\d+)" 
    | where level>0 
    | eval local_date_hour=strftime(_time,"%H") 
    | stats by local_date_hour host msg 
    | table local_date_hour host msg count(code) 
    | rename count(code) as hits ] 
| rename local_date_hour as Hour 
| sort by Hour
0 Karma

vnravikumar
Champion

try

 index=DBG_SYS sourcetype=DBG_SYS msg="Shelf 1 congestion, resource cps level 2." 
      | append 
          [| search index=DBG_SYS sourcetype=DBG_SYS 
          | regex msg="Shelf 1 slot\s(\d{1,2})\scongestion, resource cpu level\s(\d{1,2})" ] 
          | rex field=msg "cpu level+\s(?<level>\d+)" 
          | rex field=msg "cps level+\s(?<level>\d+)" 
          | where level>0 
          | eval local_date_hour=strftime(_time,"%H") 
          | stats by local_date_hour host msg 
          | table local_date_hour host msg count(code) 
          | rename count(code) as hits 
      | rename local_date_hour as Hour 
      | sort by Hour
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...