Hi
I am quite new to Splunk and REX.
I am using the SNMP modular input app to poll one of my servers for multiple things. One value I poll for is the RAM used for each process. This is doing a full walk on the MIB I have provided and returns a long event which includes all the running processes. Below is an extract of the event (there are no lone breaks):
SNMPv2-SMI::mib-2."25.4.2.1.2.1064" = "ext4-dio-unwrit" SNMPv2-SMI::mib-2."25.4.2.1.2.1065" = "kworker/9:2" SNMPv2-SMI::mib-2."25.4.2.1.2.1070" = "VpnMonitor" SNMPv2-SMI::mib-2."25.4.2.1.2.1081" = "kworker/10:2" SNMPv2-SMI::mib-2."25.4.2.1.2.1113" = "sshd" SNMPv2-SMI::mib-2."25.4.2.1.2.1115" = "rsyslogd"
Each process has a unique PID, but this will change with every reboot. I need to use the above to extract the PID of a specific number of processes, then use that value to run another query to get its memory utilisation. I haven't yet figured out how I will do that either but one step at a time...
Using the above example, I am trying to extract the PID for rsyslogd. The PID is the final 4 digits in the long number beforehand, however that number is always preceeded with the same set of numbers of 25.4.2.1.2.
I have run a selection of REX options but because 25.4.2.1.2. is repeated so many times in the event, the return is greedy and either grabs the 1st or last depending on my expression. I can't get the REX to take in to account that I need the 4 digits after 25.4.2.1.2. but only its followed by " = "rsyslogd"
An example of my expression is:
search | rex "25.4.2.1.2.(?P<PID>\d{4})(\"\s=\s\"rsyslogd)" | table PID
I have tried many variations along the lines of the above but it will always ignore the following text.
Can anyone offer any suggestions for how I can get it to find my unique value?
Thanks in advance
... View more