https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94768#M24495 <P>You might want to accept the answer, if it was helpful <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 26 Nov 2010 22:16:56 GMT ziegfried 2010-11-26T22:16:56Z https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94763#M24490 <P>Hello,</P> <P>I have a simple request <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> For a certain syslog source, I need to extract the 3rd word beginning from the end of a line. That's all. In a regular regex, the following works:</P> <PRE><CODE>(\S*)[ ]\S*[ ]\S*$ </CODE></PRE> <P>And this matches correctly the SEVERE_ERROR and NORMAL_EVENT on the following lines: </P> <PRE><CODE>Nov 25 13:55:04 x.x.x.x Nov 25 13:55:01 ProxySG: 310000 CFSSL:SSL_accept error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca(0) SEVERE_ERROR ../cf_ssl.cpp 1573 Nov 25 13:47:49 x.x.x.x Nov 25 13:47:47 ProxySG: 90000 NTP: Periodic query of server x.x.x.x, time within acceptable variance, 0 seconds, 8 ms fast compared to NTP time.(0) NORMAL_EVENT ../ntp.cpp 683 </CODE></PRE> <P>However, how do I translate this into Splunk? When I try the Interactive Field Extractor, it always wants to start from the beginning of a line and I can't seem to get the correct Splunked regex for this field <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>Any help is greatly appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 25 Nov 2010 22:59:41 GMT https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94763#M24490 laurensv 2010-11-25T22:59:41Z https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94764#M24491 <P>You can add the regex-extraction to the props.conf file. Eg. <CODE>$SPLUNK_HOME/etc/system/local/props.conf</CODE> or in the app you want that extraction <CODE>$SPLUNK_HOME/etc/apps/&lt;app&gt;/local/props.conf</CODE></P> <PRE><CODE>[syslog] EXTRACT-some-fields = ProxySG.+\s+(?&lt;severity&gt;\w+) (?&lt;source_file&gt;\S+) (?&lt;line_no&gt;\d+)$ </CODE></PRE> <P>severity, source_file and line_no are the example field names. Splunk uses PCRE named groups to define the fieldname for extractions.</P> Fri, 26 Nov 2010 00:43:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94764#M24491 ziegfried 2010-11-26T00:43:18Z https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94765#M24492 <P>I appreciate your help very much ;), but this does not seem to work...<BR /> While source_file and line_no are correctly extracted, I get "T" &amp; "R" as severity in my log files. These correspond to the last letter of NORMAL_EVENT and SEVERE_ERROR respectively...</P> Mon, 28 Sep 2020 09:21:22 GMT https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94765#M24492 laurensv 2020-09-28T09:21:22Z https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94766#M24493 <P>I've modified the regex. This one should work.</P> Fri, 26 Nov 2010 20:07:36 GMT https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94766#M24493 ziegfried 2010-11-26T20:07:36Z https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94767#M24494 <P>Thank You! That did the trick <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 26 Nov 2010 21:51:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94767#M24494 laurensv 2010-11-26T21:51:18Z https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94768#M24495 <P>You might want to accept the answer, if it was helpful <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 26 Nov 2010 22:16:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94768#M24495 ziegfried 2010-11-26T22:16:56Z https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94769#M24496 <P>Done &amp; thanks again <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 26 Nov 2010 22:37:07 GMT https://community.splunk.com/t5/Splunk-Search/How-do-extract-fields-beginning-from-the-end-of-a-line/m-p/94769#M24496 laurensv 2010-11-26T22:37:07Z