Solved: search string containing alphanumeric characters a...

raghul725 · ‎05-23-2020

Hello,

I have the following lines in logs

[Kafka Server 4], shut down completed (kafka.server)

[Kafka Server 4], start completed (kafka.server)

The number before ] could be anything between 0-9

So I am trying the following

index=* namespace=XXXXXX | search ["Kafka Server"\s\d]\,\ss\w+

And I am expecting the result to be

[Kafka Server 4], shut
[Kafka Server 4], start

But I am not getting the desired result

While I try

index=* namespace=XXXXXX | search ["Kafka Server"
I get

[Kafka Server 4], shut down completed (kafka.server)

[Kafka Server 4], start completed (kafka.server)

[Kafka Server 5], shut down completed (kafka.server)

[Kafka Server 6], start completed (kafka.server)

...... etc

Could someone assist me please?

Regards

to4kawa · ‎05-23-2020

sample:

| makeresults
| eval _raw="[Kafka Server 4], shut down completed (kafka.server)
[Kafka Server 4], start completed (kafka.server)"
| multikv noheader=t
| fields _raw
| search TERM("Kafka")  TERM("Server") ((TERM("shut") TERM("down")) OR TERM("start")) TERM("completed")
| rex "(?<server>\[.*\]), (?<status>.*) completed"

Recommend:

index=* namespace=XXXXXX TERM("Kafka")  TERM("Server") ((TERM("shut") TERM("down")) OR TERM("start")) TERM("completed")
| rex "(?<server>\[.*\]), (?<status>.*) completed"
| table _time server status

you don't have to care with []

View solution in original post

to4kawa · ‎05-23-2020

sample:

| makeresults
| eval _raw="[Kafka Server 4], shut down completed (kafka.server)
[Kafka Server 4], start completed (kafka.server)"
| multikv noheader=t
| fields _raw
| search TERM("Kafka")  TERM("Server") ((TERM("shut") TERM("down")) OR TERM("start")) TERM("completed")
| rex "(?<server>\[.*\]), (?<status>.*) completed"

Recommend:

index=* namespace=XXXXXX TERM("Kafka")  TERM("Server") ((TERM("shut") TERM("down")) OR TERM("start")) TERM("completed")
| rex "(?<server>\[.*\]), (?<status>.*) completed"
| table _time server status

you don't have to care with []

richgalloway · ‎05-23-2020

The search command does not support regular expressions. The regex command and searchmatch functions (among others) do, however.

Try this.

index=* namespace=XXXXXX "[Kafka Server*" | regex "\[Kafka Server\s\d],\ss\w+"

or

index=* namespace=XXXXXX "[Kafka Server*" | where searchmatch("\[Kafka Server\s\d],\ss\w+")

---
If this reply helps you, Karma would be appreciated.

raghul725 · ‎05-23-2020

Nice thanks Richgalloway,
Regex works, but for some reason searchmatch does not return any results.

Anyways I can survive with Regex.

Best Regards,

to4kawa · ‎05-23-2020

searchmatch() matches String , not REGEX
use match()
| where match(_raw,"\[Kafka Server\s\d],\ss\w+")

richgalloway · ‎05-24-2020

Thanks for setting me straight, @to4kawa.

---
If this reply helps you, Karma would be appreciated.

search string containing alphanumeric characters and square brackets

field extraction

regex

rex

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk