Here is the raw data:
07/26/2012 08:03:39 AM LogName=System SourceName=USER32 EventCode=1073 EventType=2 Type=Warning ComputerName=W57364821 User=SYSTEM Sid=S-1-5-18 SidType=1 Category=0 CategoryString=none RecordNumber=37639 Message=The attempt to reboot W57364821 failed
This is what i have created so far:
Message=The attempt to reboot W57364821(?
Try this:
Message=.+?(?<opeation_result>\w+)$
As sdaniels indicates, we typically try this with an in-line search and then automate if necessary. This is a sample of a test search:
index=blah sourcetype=syslog bla blah | rex field=_raw "Message=.+?(?<opeation_result>\w+)$"
The question here is, does this make sense?
Good luck. Happy Splunking!
Try this:
Message=.+?(?<opeation_result>\w+)$
As sdaniels indicates, we typically try this with an in-line search and then automate if necessary. This is a sample of a test search:
index=blah sourcetype=syslog bla blah | rex field=_raw "Message=.+?(?<opeation_result>\w+)$"
The question here is, does this make sense?
Good luck. Happy Splunking!
Thanks Gilberto
Are you trying to do this in the Search app? You need to use the rex command to extract the new field.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/rex
...<search stuff>... | rex field=_raw "reboot W57364821(?<mfailed>.S+)"
Assuming W57364821 is always going to be the same, otherwise you'll need to have a better regex.
Get a simple example working with the hardcoded host like above. Then modify it to be something like "reboot\s\S+(?
It is not going to be the same, but since the windows event logs are so big, not all that data is passed to the extraction tool in splunk so i have to use regexr.