topic Re: Regex help to extract logname in Splunk Search

Regex help to extract logname

iamsplunker — Wed, 04 Jan 2023 21:43:40 GMT

I'm trying to extract logname from the following.

So the logname value would be message.log/bblog.log/api.log

Please Note : When the timestamp date is between10-31 there is no extra space where when the timestamp date is single digit i.e.,(1-9 ) there is an extra space at the beginning of the event.

ex: <10>Jan<space><space>4 15:30:02

<10>Dec<space>31 15:30:02

Here are the sample events

<10>Jan 4 15:30:02 a2222xyabcd031.xyz.com app1001-cc-NONPROD 2023-01-04 15:30:02 message.log INFORMATION
apple:73 dev-banana_Guava-[Messaging.Security] [sys] [THE Outbound | outbound|] claimEligibility=false

<10>Jan 4 15:30:02 ia2222xyabcd031.xyz.com app1001-cc-NONPROD 2023-01-04 15:30:02 bblog.log INFORMATION
apple:73 dev-banana_Guava-[Messaging.Security] [sys] [THE Outbound | outbound|] claimEligibility=false

<10>Dec 31 15:30:04 a2222xyabcd031.xyz.com app1001-cc-NONPROD 2023-01-04 15:30:04 api.log INFORMATION
apple:73 dev-banana_Guava-[Messaging.Security] [sys] [THE Outbound | outbound|] claimEligibility=false

Re: Regex help to extract logname

ITWhisperer — Wed, 04 Jan 2023 22:05:55 GMT

| rex "(?<logname>\S+)\s+INFORMATION"

Re: Regex help to extract logname

richgalloway — Wed, 04 Jan 2023 22:08:20 GMT

Try this regex. Change the values of "WARNING" and "ERROR" to match your data.

(\S+) (?:INFORMATION|WARNING|ERROR)

Note the leading space.

Re: Regex help to extract logname

iamsplunker — Wed, 04 Jan 2023 22:22:01 GMT

Thanks for your response.

Quick question what if we have different string after the LogName

For ex: ERROR or WARN

Can we use something like this ?

| rex "(?<logname>\S+)\s+INFORMATION|WARN|ERROR"

Re: Regex help to extract logname

ITWhisperer — Wed, 04 Jan 2023 22:30:34 GMT

I would try putting the alternate values in brackets

| rex "(?<logname>\S+)\s+(INFORMATION|WARN|ERROR)"