topic Re: How to extract the required keywords using REGEX in Splunk Enterprise

How to extract the required keywords using REGEX

phanichintha — Tue, 29 Jun 2021 02:17:36 GMT

Hello!

Log:

transactionId: NA, businesskey: GRNJob, environment: prod, flowName: app-report-grn-scheduler-flow, message: Computed Range for Aribus GRN Query - {"viewTemplateName":"mcdonalds_Receipt_updatedRange",
"filters": {

Based on the above log, I need to search in any logs for the message: "anything". Please help the regex to find out.

Re: How to extract the required keywords using REGEX

venkatasri — Tue, 29 Jun 2021 02:27:29 GMT

Hi @phanichintha

Based on your sample can you try following it extracts message: <value>, value to a field called message, which you can further use to filter events.

Note: Regex only works for combination of numbers, Alphabets, space and _

From above sample value would be extracted as, message = Computed Range for Aribus GRN Query

index=<your_index> sourcetype=<your_sourcetype> | rex "message:(?<message>[\w\s]+)" | search message="<replace_it_with_string_you_want_to_search>"

---

An upvote would be appreciated and Accept Solution if it helps!

Re: How to extract the required keywords using REGEX

phanichintha — Tue, 29 Jun 2021 04:26:04 GMT

@venkatasri its not showing any results based on your query

I tried: No output

The output will be like this:
Search:
host="mules1" OR host="mules2" "nextFromDate for Ariba query set in s3 fromDateTimeUTC"
Output:

Re: How to extract the required keywords using REGEX

priyanka_231019 — Tue, 29 Jun 2021 04:49:59 GMT

Try replacing rex statement with

rex field=_raw "message:(?<message>[\w\s]+)"

Re: How to extract the required keywords using REGEX

ITWhisperer — Tue, 29 Jun 2021 05:25:28 GMT

I assume you are just looking for events with a match for "message:" followed by anything, not that you are trying to extract the "anything" into a field

| regex "message:\s[\w\s]+"

Re: How to extract the required keywords using REGEX

phanichintha — Tue, 29 Jun 2021 05:27:14 GMT

@priyanka_231019 no use showing nothing,

Re: How to extract the required keywords using REGEX

phanichintha — Tue, 29 Jun 2021 05:58:53 GMT

@ITWhisperer as per our yesterday's discussion i got the exact results. So same like this in some of the events am not able to get like this the Message field is not taking up to extract while combining in Example 2.

Example 1: Perfect output

host="mules1" OR host="mules2"
Message="message: Start of Flow CreateUser flow" OR
Message="message: All system calls for CREATE user is completed" | stats count by Message
| transpose 0 header_field=Message
| eval Failures='message: Start of Flow CreateUser flow'-'message: All system calls for CREATE user is completed'
| transpose 0 column_name=message header_field=column

Example 2: getting issue

but Individually showing events,

Re: How to extract the required keywords using REGEX

venkatasri — Tue, 29 Jun 2021 06:00:40 GMT

@phanichintha Originally there was no space in sample can you try this ,

Try | search =*nextFromDate for Ariba* something like this with wildcard there could be extra spaces being extracted.

index=<your_index> sourcetype=<your_sourcetype> | rex "message:\s+(?<message>[\w\s]+)" | search message="<replace_it_with_string_you_want_to_search>"

Re: How to extract the required keywords using REGEX

ITWhisperer — Tue, 29 Jun 2021 06:11:27 GMT

What events and what fields ar already extracted when you do this search?

host="mules1" OR host="mules2" "nextFromDate for Ariba query set in s3 fromDateTimeUTC"

Re: How to extract the required keywords using REGEX

phanichintha — Tue, 29 Jun 2021 06:32:55 GMT

@ITWhisperer the events are related to "nextFromDate for Ariba query set in s3 fromDateTimeUTC" and the fields are below listed, in the files "Message" is extracted by me, based on that also some are not extracting under "Message" field.

Re: How to extract the required keywords using REGEX

ITWhisperer — Tue, 29 Jun 2021 07:19:37 GMT

Isn't that the issue - that that Message field extraction is not working for all your events?

Do you need to extract it in the search? Can you share your current extract configuration?