Regex for "Splunk Servers with resource starvation" alert doesn't match some timezones #12
Description
The regex in the "AllSplunkEnterpriseLevel - Splunk Servers with resource starvation" alert needs a couple of small tweaks to support timezones that start with "-". Example log entry:
05-22-2021 02:43:52.616 -0400 WARN ServerInfoHandler - Responding to /server/info took longer than seems reasonable (5266 milliseconds, props_ms=2, kvs_ms=1, shc_ms=1, cluster_ms=1). Check your system for resource contention, most notably CPU availability.
The first two rex lines in the search:
| rex "^[\d-]+ [\d:\.]+( )+\+?\d+( )+[^ ]+( )+(?P<componentAndArea>([^ ]+( )+){3}).*\((?P<number>\d+) milliseconds"
| rex "^[\d-]+ [\d:\.]+( )+\+?\d+( )+[^ ]+( )+(?P<componentAndArea2>DispatchManager\s+([^ ]+( )+){3}).*elapsed_ms=(?P<number3>\d+)"
Need to be changed to:
| rex "^[\d-]+ [\d:\.]+( )+[\+-]?\d+( )+[^ ]+( )+(?P<componentAndArea>([^ ]+( )+){3}).*\((?P<number>\d+) milliseconds"
| rex "^[\d-]+ [\d:\.]+( )+[\+-]?\d+( )+[^ ]+( )+(?P<componentAndArea2>DispatchManager\s+([^ ]+( )+){3}).*elapsed_ms=(?P<number3>\d+)"