https://community.splunk.com/t5/Splunk-Search/How-to-apply-a-regular-expression-that-pulls-multiple-values/m-p/471142#M132547 <P>Hi all,</P> <P>I've been struggling to extract certain values from application logs and assign them to the given field name. As I don't know how to use or write regular expression in splunk, I need help to write a query to get the desired output. Here is my base search query:</P> <P><A href="https://www.myapplication.com/myapi/version5/autofill/" target="_blank">https://www.myapplication.com/myapi/version5/autofill/</A> "ERROR"</P> <P>here is the output log:</P> <P>"ERROR" "store.view.app.api.controller.myClientLoggingController" "viewhost02" "myview2_2" &lt;&gt; "catalina-exec-7" "requestId=d4s6666-9d6e-2c0g-7c20-6e9f7wfa7f6" &lt;&gt; "clientIp=234.234.234.22" "store.view.app.api.controller.myClientLoggingController.logError(?:?):My-AngularApp<BR /> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxcxxxxxxxxxxxx</P> <H2>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</H2> <P><STRONG>NOTE:</STRONG> in above log I have replaced the brackets &lt;&gt; with quotes "" </P> <P>Now I want to extract the "requestId", "clientIp" and "My-AngularApp" and assign them to field name as "Req_ID", "Cust_IP" and "App_Name" respectively.</P> <P>Can someone please help with the query to achieve the desired output, as I always struggle with REX syntax and can't write the query by my own.</P> <P>Thank you in advance.</P> Wed, 30 Sep 2020 05:37:11 GMT iqbalintouch 2020-09-30T05:37:11Z https://community.splunk.com/t5/Splunk-Search/How-to-apply-a-regular-expression-that-pulls-multiple-values/m-p/471142#M132547 <P>Hi all,</P> <P>I've been struggling to extract certain values from application logs and assign them to the given field name. As I don't know how to use or write regular expression in splunk, I need help to write a query to get the desired output. Here is my base search query:</P> <P><A href="https://www.myapplication.com/myapi/version5/autofill/" target="_blank">https://www.myapplication.com/myapi/version5/autofill/</A> "ERROR"</P> <P>here is the output log:</P> <P>"ERROR" "store.view.app.api.controller.myClientLoggingController" "viewhost02" "myview2_2" &lt;&gt; "catalina-exec-7" "requestId=d4s6666-9d6e-2c0g-7c20-6e9f7wfa7f6" &lt;&gt; "clientIp=234.234.234.22" "store.view.app.api.controller.myClientLoggingController.logError(?:?):My-AngularApp<BR /> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxcxxxxxxxxxxxx</P> <H2>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</H2> <P><STRONG>NOTE:</STRONG> in above log I have replaced the brackets &lt;&gt; with quotes "" </P> <P>Now I want to extract the "requestId", "clientIp" and "My-AngularApp" and assign them to field name as "Req_ID", "Cust_IP" and "App_Name" respectively.</P> <P>Can someone please help with the query to achieve the desired output, as I always struggle with REX syntax and can't write the query by my own.</P> <P>Thank you in advance.</P> Wed, 30 Sep 2020 05:37:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-apply-a-regular-expression-that-pulls-multiple-values/m-p/471142#M132547 iqbalintouch 2020-09-30T05:37:11Z https://community.splunk.com/t5/Splunk-Search/How-to-apply-a-regular-expression-that-pulls-multiple-values/m-p/503606#M140579 <P>I restored the angle brackets to make it easier for helpers to create a regex for you.&nbsp; Please edit the question to correct any mistakes I may have made.</P><P>Are you familiar with <A href="https://regex101.com" target="_self">regex101.com</A>?&nbsp; It's a great web site for testing regular expressions.</P> Tue, 09 Jun 2020 16:59:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-apply-a-regular-expression-that-pulls-multiple-values/m-p/503606#M140579 richgalloway 2020-06-09T16:59:44Z https://community.splunk.com/t5/Splunk-Search/How-to-apply-a-regular-expression-that-pulls-multiple-values/m-p/503628#M140582 <P>Here's a stab at it. You'll be better served by <EM>not</EM> substituting elements of your log except to obfuscate sensitive data. I worked with what you have, which means it may not work as-is but this should give you a pattern to follow.</P><P><FONT face="andale mono,times">&lt;(?&lt;log_level&gt;[^&gt;]+)&gt;\s+&lt;(?&lt;class&gt;[^&gt;]+)&gt;\s+&lt;(?&lt;hostname&gt;[^&gt;]+)&gt;\s+&lt;(?&lt;viewname&gt;[^&gt;]+)&gt;\s+&lt;(?&lt;unknown1&gt;[^&gt;].)?&gt;\s+&lt;(?&lt;exec_process&gt;[^&gt;]+)&gt;\s+&lt;requestId=(?&lt;Req_ID&gt;[^&gt;]+)&gt;\s+&lt;(?&lt;unknown2&gt;[^&gt;]+)?&gt;\s+&lt;clientIp=(?&lt;Cust_IP&gt;[^\"]+)\"&gt;\"(?&lt;log_class&gt;[^:].+):(?&lt;App_Name&gt;[^\ ]+)</FONT></P><P>Regex101 link: <A href="https://regex101.com/r/FX8lkQ/1" target="_blank">https://regex101.com/r/FX8lkQ/1</A></P> Tue, 09 Jun 2020 20:30:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-apply-a-regular-expression-that-pulls-multiple-values/m-p/503628#M140582 Yorokobi 2020-06-09T20:30:47Z