topic Re: Splunk Report after keyword in Splunk Search

Splunk Report after keyword

runiyal — Sat, 11 Sep 2021 15:38:33 GMT

I have following events in the log. Although there are lot of rows in it but I interested in these rows only and in extracting "time: and anything after "subject:"

--- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: RE: Hello this is first email --- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is second email --- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is third email ---

So need to a create a report like this -

Time	Subject
2016 2021-09-11 11:01:19	RE: Hello this is first email
2016 2021-09-11 11:01:21	Re: Hello this is second email
2016 2021-09-11 11:01:22	Re: Hello this is third email

Thanks!

Re: Splunk Report after keyword

ITWhisperer — Sat, 11 Sep 2021 16:47:48 GMT

2016 doesn't appear to be part of a time - what is it about these events that would allow you to distinguish them from other events e.g. are you interested in all events which contain the string

Problem creating batch from the downloaded mail with subject:

| rex "(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)"

Re: Splunk Report after keyword

richgalloway — Sat, 11 Sep 2021 16:59:03 GMT

This should get you started.

index=foo "Server 2016" "subject" | rex "Server 2016 (?<Time>[^,]+).*subject: (?<Subject>.*)" | replace "T" with " " in Time | table Time Subject

Re: Splunk Report after keyword

runiyal — Sat, 11 Sep 2021 17:52:09 GMT

Yes, anything thats after "interested in all events which contain the string".

When I search with -

index="foo" | rex "(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)"

then I am getting following error -

Error in 'rex' command: Encountered the following error while compiling the regex '(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)': Regex: unknown property name after \P or \p.

But if I put a space between *\ and Problem, then it is providing all the rows, even without the even I am looking for and not in a tabular form.

Re: Splunk Report after keyword

runiyal — Sat, 11 Sep 2021 19:17:41 GMT

Only command not working is -

| replace "T" with " " in Time

Still in the result I am seeing - 2021-09-11T11:01:19

Re: Splunk Report after keyword

ITWhisperer — Sat, 11 Sep 2021 21:20:30 GMT

Sorry, that was a typo, the \ before the P is not needed

Re: Splunk Report after keyword

richgalloway — Sat, 11 Sep 2021 23:44:36 GMT

Try this instead of replace.

| rex field=Time mode=sed "s/T/ /"

Re: Splunk Report after keyword

runiyal — Sun, 12 Sep 2021 01:09:00 GMT

Thanks a lot, it worked!