Getting Data In

Help in RegEx to get a separate values

jerinvarghese
Communicator

Need help in formatting a regex comand output.

Program that I created:

index=opennms  "bigipServiceDown"
  | rex field=eventlogmsg "bigipNotifyObjMsg=(?<POOL>.+down. )"
  | table POOL, nodelabel

Output :

POOL    nodelabel
Pool /Common/tiger.exxonmobil.com-443-pl member /Common/10.159.217.11:443 monitor status down. [ /Common/https-vdi-connection_manager: down;    INMCOIGW-APNADC003
Pool /Common/tiger.exxonmobil.com-443-pl member /Common/10.159.217.11:443 monitor status down. [ /Common/https-vdi-connection_manager: down;    INMCOIGW-APNADC003
Pool /Common/tiger.exxonmobil.com-443-pl member /Common/10.159.217.11:443 monitor status down. [ /Common/https-vdi-connection_manager: down;    INMCOIGW-APNADC003

Expected output :

POOL    Monitor VDI nodelabel
tiger.exxonmobil.com-443-pl member  10.159.217.11:443 monitor status down   Common/https-vdi-connection_manager: down   INMCOIGW-APNADC003
leopard.exxonmobil.com-443-pl member    Common/vdi-pnh.ap.xom.com:443 monitor status down   Common/https-vdi-connection_manager-pnh: down   INMCO-APNADC104

RAW Data :

eventlogmsg=""<p>
    bigipServiceDown trap received
    bigipNotifyObjMsg=Pool /Common/leopard.exxonmobil.com-443-pl member /Common/vdi-pnh.ap.xom.com:443 monitor status down. [ /Common/https-vdi-connection_manager-pnh: down; last error: /Common/https-vdi-connection_manager-pnh:  Response Code: 404 (Not Found) @2020/02/03 07:06:46.  ]  [ was up for 0hr:49mins:15sec ] (slot2)
    bigipNotifyObjNode=/Common/vdi-pnh.ap.xom.com
    bigipNotifyObjPort=443</p>""
0 Karma

jbrocks
Communicator

You can use the following regex to extract the 3 fields POOL, Monitor and VDI. You can try this regex in regex101 to check what exactly is happening:

"bigipNotifyObjMsg=Pool\s+.*?(?<POOL>[^\/]+)(?=\s+)\s+.*?(?<Monitor>[^\/]+)(?=\.\s+\[)\.\s+\[\s+(?<VDI>[^;]+);"
0 Karma

jerinvarghese
Communicator

Sorry that didnt worked, its not giving a result.

Raw Data:

eventlogmsg=""


bigipServiceDown trap received
bigipNotifyObjMsg=Pool /Common/leopard.exxonmobil.com-443-pl member /Common/vdi-pnh.ap.xom.com:443 monitor status down. [ /Common/https-vdi-connection_manager-pnh: down; last error: /Common/https-vdi-connection_manager-pnh: Response Code: 404 (Not Found) @2020/02/03 07:06:46. ] was up for 0hr:49mins:15sec
bigipNotifyObjNode=/Common/vdi-pnh.ap.xom.com
bigipNotifyObjPort=443

""

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...