topic Re: Using regex in Splunk in Splunk Search

Using regex in Splunk

darpohsh — Wed, 10 Jul 2013 04:27:43 GMT

I would like to be able to extract some details from the logs, namely "AR1" and "SIN" as 2 fields and a 3rd field with the status after the text 'AR1(SIN)-'.

# print: msg: AR1(SIN)-rollout: Group 1 started (06:25:51)

# print: msg: AR1(SIN)-rollout: Group 1 completed (06:41:08)

Any advise on what is the regex that I should use in my Splunk query?

Re: Using regex in Splunk

ranjyotiprakash — Wed, 10 Jul 2013 06:29:49 GMT

you have two options :

1 .either perform field extraction using configurations in inputs.conf, props.conf, transforms.conf link text

or option 2. do field extraction directly in search command using rex link text

if using rex command, you can use something like this :

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | table field1, field2, field3

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | your search query

Re: Using regex in Splunk

darpohsh — Thu, 11 Jul 2013 04:22:14 GMT

Thank you @ranjyotiprakash. With a slight modification, I was able to get it 🙂

..... | rex field = _raw ".*\s+msg:\s+(?\S+)\((?\S+)\)-(?.*)" | table field1, field2, field3

Re: Using regex in Splunk

ranjyotiprakash — Fri, 12 Jul 2013 13:52:45 GMT

yes .. i missed escaping the extra parenthesis. thanks.