I have set up a query to check the status of linux/unix processes for a number of processes. However, when it displays the results, it shows the whole output of the command line instead of showing the status of process.
For example, the search is to check the output of process ABCDEF. But when I run the query, it shows as below:-
://java/path/abc: ABCDEF:/export/path/...
Is there a way I can extract just the process name instead of the whole command line as output?
Thanks,
hi @bsaujla131984
Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!
No, It did not work...
For this kind of query, your fastest iteration on trying extraction language might be to get onto the Splunk Slack channel, the #regex subchannel, and ask for help there. It looks like sudosplunk is getting you close, but some kind of problem is persisting. They can help you down there pretty fast.
Can anyone assist with this please?
Did you try the regex exactly as I provided. Use this search index=Unix_process host="xxxxxx" ABCDEF COMMAND=java | dedup process | rex field=_raw "\:\s(?<just_process_name>\w+)\:" | table just_process_name
Hi SudoSplunk, It is not working, error message :-
Error in 'rex' command: Encountered the following error while compiling the regex ':\s(?PROCESS_NAME\w+):': Regex: unrecognized character after (? or (?-
Hi,
Regex: unrecognized character after (? or (?-
Based on above error, I think you specified a name for capture group but not in the format what regex recognizes. Put PROCESS_NAME
inside angular brackets. `| rex field=_raw ":\s(?\w+):" | table PROCESS_NAME
I had tried in angular brackets, however it was giving error as below:-
Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?...).
Hi, give this a try base_search | rex field=_raw "\:\s(?<just_process_name>\w+)\:" | table just_process_name
The regex will only work with the format specified in question. If you have multiple formats of how process name appear in logs, then provide samples of all possible formats and I will help with the regex that matches all.
Thanks for your input, I tried following searches, however it is not working as expected:-
Search1:- index=Unix_process host="xxxxxx" ABCDEF COMMAND=java | dedup process | rex field=_raw ":\s(? \w+):" | table ABCDEF
Error:- Error in 'rex' command: Encountered the following error while compiling the regex ':\s(? \w+):': Regex: syntax error in subpattern name (missing terminator)
Search 2:- index=Unix_process host="xxxxxx" ABCDEF COMMAND=java | dedup process | rex field=_raw ":\s(?ABCDEF \w+):" | table ABCDEF
Error:- Error in 'rex' command: Encountered the following error while compiling the regex ':\s(?ABCDEF \w+):': Regex: unrecognized character after (? or (?-
Hi,
Looks like there is no name capturing group in your rex statement. A name capturing group (including <>
angular brackets) should be provided in order for rex to work.
Regex tested here.