Here is the line in the log I am working with;
Message=COMPUTERNAME [Monday, April 02, 2018 7:15:53 AM (GMT-06:00)]: Status of device 'COMPUTER' changed to Critical: Many viruses detected.
Goal;
I would like to search my database for all logs that have the status "Many viruses detected"
I am newer to splunk, I need to use rex correct? I do not think the field has been extracted yet.
After being able to find all the computers with this log, I would like to extract the field for future use.
My search;
index=my_index | rex field=_raw"(?)Message=(?[a-zA-z0-9:\s[]\-,=`'."]\sMany\sviruses\sdetected"
To return events with a specific string, just include that string in your base search.
index=my_index "Many viruses detected"
If you wanted to extract the computer name, message and status you could try something like this:
rex field=_raw "Status of device '(?<COMPUTERNAME>.*?)' (?<MESSAGE>.*?): (?<STATUS>.*?)\."
Thank you!
To return events with a specific string, just include that string in your base search.
index=my_index "Many viruses detected"
Thank you!
Thank you!
My search IS NOT working
What value you want to capture from the above event using REX ?