Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help with regex needed

damucka
Builder
‎12-09-2019 02:30 AM

Hello,

I have the following content in the variable $result.LINE$ in my alert, coming as a DB SQL result:

Below workload classes were created after the last anomaly: I306668 D041875 I355581 I327556 I027931 C5279166 I330801 I506540 I829697 I842940 I843132 I865403 I001314 I309296 I520545 D066638 I506897 I340509 I829186 D040915 D057879 I007374 D054254 D048889 I802644 C5243636 I041661 D020525 I500011 I310846 I307944 I511708 I318767 I317172 I019343 I310161 I335757 I345544 I519010 I520636

Now, this is one line, however, I would like to present it in the alert e-mail like this: 

 Below workload classes were created after the last anomaly: 
 I306668 
 D041875 
 I355581
  ...

I thought I would just apply some regex to the $result.LINE$which would replace the whitespaces after the ":" with the \n, but after trying with regex101 a little bit I am not much smarter.
Could you please advise how the corresponding regex would look like?

Kind Regards,
Kamil

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-09-2019 02:48 AM

Hi @damucka,
please try something like this:

| makeresults | eval _raw=" Below workload classes were created after the last anomaly: I306668 D041875 I355581 I327556 I027931 C5279166 I330801 I506540 I829697 I842940 I843132 I865403 I001314 I309296 I520545 D066638 I506897 I340509 I829186 D040915 D057879 I007374 D054254 D048889 I802644 C5243636 I041661 D020525 I500011 I310846 I307944 I511708 I318767 I317172 I019343 I310161 I335757 I345544 I519010 I520636"
| rex field=_raw "Below workload classes were created after the last anomaly: (?<codes>.*)"
| makemv codes
| mvexpand codes
| table codes
| rename codes As "Below workload classes were created after the last anomaly:"

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-09-2019 02:48 AM

Hi @damucka,
please try something like this:

| makeresults | eval _raw=" Below workload classes were created after the last anomaly: I306668 D041875 I355581 I327556 I027931 C5279166 I330801 I506540 I829697 I842940 I843132 I865403 I001314 I309296 I520545 D066638 I506897 I340509 I829186 D040915 D057879 I007374 D054254 D048889 I802644 C5243636 I041661 D020525 I500011 I310846 I307944 I511708 I318767 I317172 I019343 I310161 I335757 I345544 I519010 I520636"
| rex field=_raw "Below workload classes were created after the last anomaly: (?<codes>.*)"
| makemv codes
| mvexpand codes
| table codes
| rename codes As "Below workload classes were created after the last anomaly:"

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

damucka
Builder
‎12-09-2019 04:52 AM

Hi Giuseppe,

I am not sure if this is going to work for me.
The point is, that I really need to have the result at the end in the $result.LINE$ variable. The issue with your example is that you create the table, which wipes out all other variables that I have. I did not mention it in my question in order to keep it simple. So at the end I guess I really need a regex here.

Kind Regards,
Kamil

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-09-2019 06:40 AM

Hi @damucka,
I never experienced this field, but if you want to have the list of the values in your email, you can use this search:

| makeresults 
| eval _raw=" Below workload classes were created after the last anomaly: I306668 D041875 I355581 I327556 I027931 C5279166 I330801 I506540 I829697 I842940 I843132 I865403 I001314 I309296 I520545 D066638 I506897 I340509 I829186 D040915 D057879 I007374 D054254 D048889 I802644 C5243636 I041661 D020525 I500011 I310846 I307944 I511708 I318767 I317172 I019343 I310161 I335757 I345544 I519010 I520636"
 | rex field=_raw "Below workload classes were created after the last anomaly: (?<codes>.*)"
 | makemv codes

then you can use in email body $result.codes$.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...