topic Regex with eval ? in Splunk Search

Regex with eval ?

officialsubho — Fri, 17 May 2019 19:28:54 GMT

I have this following string

2019-05-17 11:30:14.262 INFO 13 --- [pool-3-thread-1] com.abcd.efgh.ijk.statuspage.StatusPage : Application[id=00, name='XYZ Service', environment='Production', status='DOWN'

i just need to extract value against the name keyword and use it as a field to run stats against it .
How can i extract the value ? Can someone plz help with the SPL ?

justgettingstarted

Re: Regex with eval ?

koshyk — Fri, 17 May 2019 20:36:09 GMT

I would have thought, Splunk automatically extracts it?

Anyway, Please find the regex

|makeresults
| eval myraw="2019-05-17 11:30:14.262 INFO 13 --- [pool-3-thread-1] com.abcd.efgh.ijk.statuspage.StatusPage : Application[id=00, name='XYZ Service', environment='Production', status='DOWN'"
| rex field=myraw "name=\'(?<name>[^\']+)\'"
| fields name

In regex101 => https://regex101.com/r/yWXFJ7/1

Re: Regex with eval ?

officialsubho — Tue, 21 May 2019 19:27:08 GMT

Thanks @koshyk , but i am not looking for the regex .
i Just need store the name='XYZ Service' in a separate field , so that i can run counts against it .

i am trying to figure out how many times a particular XYZ service showed down status on the logs .
let me know if that makes sense .

Re: Regex with eval ?

Vijeta — Tue, 21 May 2019 19:48:28 GMT

@officialsubho you can use this rex command

 rex field=_raw "name=\'(?<name>[^\']+)\'"

Re: Regex with eval ?

koshyk — Tue, 21 May 2019 20:38:55 GMT

so you want the whole of name='XYZ Service' to be in a separate field?

In the above regex, you will get the field name as "name", but you can change it to whatever it suits you.

|makeresults
 | eval myraw="2019-05-17 11:30:14.262 INFO 13 --- [pool-3-thread-1] com.abcd.efgh.ijk.statuspage.StatusPage : Application[id=00, name='XYZ Service', environment='Production', status='DOWN'"
 | rex field=myraw "name=\'(?<myNewField>[^\']+)\'"
 | stats count by myNewField