topic rex extraction of multiple fields from a record in Splunk Search

rex extraction of multiple fields from a record

Rob_Jordan — Thu, 27 May 2010 01:47:31 GMT

While the following extraction below works, I wanted to see if I could extract both custom fields EAR_FILE and DOMAIN_NAME in one rex step instead of initiating a second search and rex command.

"Initiating redeploy*.ear" | rex field=_raw "(?<EAR_FILE>\w*\.ear)" | search "Initiating redeploy*.ear"| rex field=_raw "(?<DOMAIN_NAME>\w\wdomain\d\d)"

Sample Records:

<May 01, 2010 9:38:10 AM CDT> <Info> <J2EE Deployment SPI> <BEA-260121> <Initiating redeploy operation for application, MyApp [archive: /tmp/tsdomain01/upload/MyApp.ear], to configured targets.> 
<May 01, 2010 9:50:01 AM CDT> <Info> <J2EE Deployment SPI> <BEA-260121> <Initiating redeploy operation for application, YourApp [archive: /tmp/tsdomain02/upload/YourApp.ear], to configured targets.>

Thank you,

Rob

Re: rex extraction of multiple fields from a record

dwaddle — Thu, 27 May 2010 02:17:43 GMT

Without seeing the original event, it's hard to make a regex to pull both. But, as a general rule, this is possible. As an example, for the event "Green Eggs and Ham" you could do a regex similar to:

| rex field=_raw "(?<egg_color>[^\s]+)[Ee]ggs and (?<meat_type>[^\s]+)"

If you're going to be doing this type of extraction on a regular basis, it might be worth it to read up on setting these up permanently in props.conf/transforms.conf.

Re: rex extraction of multiple fields from a record

Rob_Jordan — Thu, 27 May 2010 02:55:24 GMT

dwaddle, thanks for the help. Based on your example above, I was able to get it to work with the following.

"Initiating redeploy*.ear" | rex field=_raw "(?<DOMAIN_NAME>\w\wdomain\d\d)/.*/(?<EAR_FILE>\w*\.ear)"