<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Parse some text from log in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Parse-some-text-from-log/m-p/446727#M77709</link>
    <description>&lt;P&gt;Hi everyone,&lt;BR /&gt;
i've got some log like this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[2019-02-01 14:51:43][P][APPLICATION/controllers/access_controller.php:166  in access_controller::_get_authenticated_user()] [24418549=Laetitia resoludor] _get_authenticated_user -&amp;gt; session_start
[2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL-&amp;gt;query_single_row()  in exam_mapper::getExam()] [24418549=Laetitia resoludor] [DB] INIT: mysql:host=hidden.com;dbname=myapp
[2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL-&amp;gt;query_single_row()  in exam_mapper::getExam()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] 
SELECT *
        FROM app_exam 
        INNER JOIN  app_qcm ON app_exam.id_qcm = app_qcm.id_qcm
        WHERE app_exam.id_exam = 4506873

[2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL-&amp;gt;query_single_row()  in exam_mapper::getExam()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] 
[2019-02-01 14:51:52][P][APPLICATION/mappers/exam_login_mapper.php:231 SQL-&amp;gt;query_all()  in exam_login_mapper::selectAllByIdExamWithoutXML3()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] 
SELECT id_exam_sheet,  points, note, current_question, total_question,options
        FROM app_exam_login
        INNER JOIN app_exam_sheet ON app_exam_login.id_exam_login = app_exam_sheet.id_exam_login
        where app_exam_login.id_exam=4506873
        order by id_exam_sheet;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;i need to parse the [24418549=Laetitia resoludor] the field inside the box bracket (numberfield=name) can change,&lt;BR /&gt;
how i can do that?&lt;BR /&gt;
i've find a regex that can do that "[0-9]\d+=([A-Z])\w+ \w+" how i can apply that to splunk search and reporting?&lt;/P&gt;</description>
    <pubDate>Wed, 06 Feb 2019 10:20:36 GMT</pubDate>
    <dc:creator>claudio9494</dc:creator>
    <dc:date>2019-02-06T10:20:36Z</dc:date>
    <item>
      <title>Parse some text from log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Parse-some-text-from-log/m-p/446727#M77709</link>
      <description>&lt;P&gt;Hi everyone,&lt;BR /&gt;
i've got some log like this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[2019-02-01 14:51:43][P][APPLICATION/controllers/access_controller.php:166  in access_controller::_get_authenticated_user()] [24418549=Laetitia resoludor] _get_authenticated_user -&amp;gt; session_start
[2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL-&amp;gt;query_single_row()  in exam_mapper::getExam()] [24418549=Laetitia resoludor] [DB] INIT: mysql:host=hidden.com;dbname=myapp
[2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL-&amp;gt;query_single_row()  in exam_mapper::getExam()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] 
SELECT *
        FROM app_exam 
        INNER JOIN  app_qcm ON app_exam.id_qcm = app_qcm.id_qcm
        WHERE app_exam.id_exam = 4506873

[2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL-&amp;gt;query_single_row()  in exam_mapper::getExam()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] 
[2019-02-01 14:51:52][P][APPLICATION/mappers/exam_login_mapper.php:231 SQL-&amp;gt;query_all()  in exam_login_mapper::selectAllByIdExamWithoutXML3()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] 
SELECT id_exam_sheet,  points, note, current_question, total_question,options
        FROM app_exam_login
        INNER JOIN app_exam_sheet ON app_exam_login.id_exam_login = app_exam_sheet.id_exam_login
        where app_exam_login.id_exam=4506873
        order by id_exam_sheet;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;i need to parse the [24418549=Laetitia resoludor] the field inside the box bracket (numberfield=name) can change,&lt;BR /&gt;
how i can do that?&lt;BR /&gt;
i've find a regex that can do that "[0-9]\d+=([A-Z])\w+ \w+" how i can apply that to splunk search and reporting?&lt;/P&gt;</description>
      <pubDate>Wed, 06 Feb 2019 10:20:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Parse-some-text-from-log/m-p/446727#M77709</guid>
      <dc:creator>claudio9494</dc:creator>
      <dc:date>2019-02-06T10:20:36Z</dc:date>
    </item>
    <item>
      <title>Re: Parse some text from log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Parse-some-text-from-log/m-p/446728#M77710</link>
      <description>&lt;P&gt;You can use rex command to accomplish your task.&lt;/P&gt;

&lt;P&gt;Ex. | rex field=_raw "[0-9]\d+=(?[A-Z]\w+\s+\w+)"&lt;/P&gt;

&lt;P&gt;This will extract the value in field called "myfield"&lt;BR /&gt;
Reference: &lt;A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Rex"&gt;https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Rex&lt;/A&gt;, &lt;/P&gt;</description>
      <pubDate>Wed, 06 Feb 2019 12:45:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Parse-some-text-from-log/m-p/446728#M77710</guid>
      <dc:creator>rshah_splunk</dc:creator>
      <dc:date>2019-02-06T12:45:17Z</dc:date>
    </item>
    <item>
      <title>Re: Parse some text from log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Parse-some-text-from-log/m-p/446729#M77711</link>
      <description>&lt;P&gt;thanks, how i can extract from all event ?&lt;/P&gt;</description>
      <pubDate>Wed, 06 Feb 2019 15:20:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Parse-some-text-from-log/m-p/446729#M77711</guid>
      <dc:creator>claudio9494</dc:creator>
      <dc:date>2019-02-06T15:20:15Z</dc:date>
    </item>
    <item>
      <title>Re: Parse some text from log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Parse-some-text-from-log/m-p/446730#M77712</link>
      <description>&lt;P&gt;All event means ? Can you help me understand ?&lt;BR /&gt;
Just to note that as we have provided field=_raw, we will be applying that regex on entire raw event.&lt;/P&gt;</description>
      <pubDate>Thu, 07 Feb 2019 11:02:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Parse-some-text-from-log/m-p/446730#M77712</guid>
      <dc:creator>rshah_splunk</dc:creator>
      <dc:date>2019-02-07T11:02:25Z</dc:date>
    </item>
  </channel>
</rss>

