topic Log level extraction in Splunk Enterprise

Log level extraction

sphiwee — Sun, 18 Oct 2020 13:04:25 GMT

here is some sample data, can someone help me with a regular expression to extract the highlighted part "status:READY_TO_PROCESS" as process status

2020-10-18 14:06:18 [bp-[507bbd99]-completeMachineRun-233466] HitService [INFO] Created typed run Run: id=233467, uuid=7653767a-5e85-409d-aa3e-69bbeac40ad0 name=Final Results {size:0, status:READY_TO_PROCESS, rootRun:7653767a-5e85-409d-aa3e-69bbeac40ad0, data:}

Re: Log level extraction

isoutamo — Sun, 18 Oct 2020 14:02:43 GMT

I expecting that there is always word status and then it’s value ending to ,. If this is not a valid expectation then this rex needs to updated.

... | rex "(?<status>status:[^,]+)"

r. Ismo

Re: Log level extraction

sphiwee — Sun, 18 Oct 2020 13:59:51 GMT

Sorry but it's pulling something totally different

Re: Log level extraction

sphiwee — Sun, 18 Oct 2020 14:03:05 GMT

Sorry but it's pulling something totally different

Re: Log level extraction

isoutamo — Sun, 18 Oct 2020 14:03:34 GMT

Forget + from the end, did it works now?

Re: Log level extraction

inventsekar — Sun, 18 Oct 2020 16:38:19 GMT

Hi @sphiwee ... @isoutamo 's rex query is working fine and extracting the status msg(did you add the plus sign and the field=_raw or ur fieldname?). Please check the screenshot:

| makeresults | eval log="2020-10-18 14:06:18 [bp-[507bbd99]-completeMachineRun-233466] HitService [INFO] Created typed run Run: id=233467, uuid=7653767a-5e85-409d-aa3e-69bbeac40ad0 name=Final Results {size:0, status:READY_TO_PROCESS, rootRun:7653767a-5e85-409d-aa3e-69bbeac40ad0, data:}" | rex field=log "(?<status>status:[^,]+)" | table status