topic Re: How to extract a word from raw data in Splunk using rex in Splunk Search

How to extract a word from raw data in Splunk using rex

kavyamohan — Mon, 21 Oct 2019 09:25:02 GMT

SVSCPLEX,S0W1,S0W1.DAL-EBIS.IHOST.COM,SYSLOG,zOS-SYSLOG-Console,SYSLOG,-0400,NE,001C,19283 01.21.46.880 -0500,S0W1 ,JOB03487, ,40000000000000000000000000000000,00000090,TESCREAT,00," IEF450I TESCREAT STEP010 - ABEND=S222 U0000 REASON=00000000"\n. I want to extract this TESCREAT from the above given. I was able to write rex, but iam getting error while using the below rex field. Can you help me where I am missing.

| rex field=_raw ^[^"\n]*"\s+\w+\d+\w+\s+(?P\w+)

Re: How to extract a word from raw data in Splunk using rex

gcusello — Mon, 21 Oct 2019 10:47:56 GMT

Hi kavyamohan,
try this

| rex "([^,]*,){15}(?<my_field>[^,]*),"

you can test it at https://regex101.com/r/Dul1S5/1

ciao.
Giuseppe

Re: How to extract a word from raw data in Splunk using rex

kavyamohan — Mon, 21 Oct 2019 10:58:53 GMT

Thank you so much. It worked, where can I practice and learn writing rex?

Re: How to extract a word from raw data in Splunk using rex

gcusello — Mon, 21 Oct 2019 12:46:50 GMT

Hi kavyamohan,
you can use regex101 to test your regexes and this is the most important site to use!
.
About a tutorial, you can search on Internet using Google, anyway I used this https://www.regular-expressions.info/

If you want a quick reference guide (very quick for regexes but there are many information also on Splunk), you can use https://www.splunk.com/pdfs/solution-guides/splunk-quick-reference-guide.pdf .

Ciao.
Giuseppe

Re: How to extract a word from raw data in Splunk using rex

kavyamohan — Tue, 22 Oct 2019 04:56:05 GMT

ok Thank you so much. Will check on it:)