topic Re: Regex three lines with same format to create three field extractions in Splunk Search

Regex three lines with same format to create three field extractions

Bliide — Thu, 26 Jun 2014 15:29:43 GMT

I am trying to pull specific lines from a log file. I have a format that is repeated and I have a regex that is pulling the info from those lines. My problem is that there are 3 lines that have the same format. I need a way to pull each line separately. The REGEX I am using for the field extraction looks like this:

(?i)^(?:[^:]*:){3}(?P[log_error].+)

The regex works but it is pulling lines that have LOG ERROR, LOG INFO and LOG EXCEPTION. The logs look like this:

LOG ERROR:6/6/2014 3:37 PM:

LOG INFO:6/6/2014 3:37 PM:

LOG EXCEPTION:6/6/2014 3:37 PM:

I have tried putting text into the REGEX for each line but I must be inputting something incorrectly. My goal is to create three field extractions (logerror, loginfo and logexcept). I know I just need to add a simple text match to the REGEX but I cannot figure out what I am doing wrong.

Re: Regex three lines with same format to create three field extractions

somesoni2 — Thu, 26 Jun 2014 16:01:09 GMT

Give this a try

Your base search | rex "(?i)^LOG (INFO(?:[^:]*:){3}(?P<loginfo>.+)|ERROR(?:[^:]*:){3}(?P<logerror>.+)|EXCEPTION(?:[^:]*:){3}(?P<logexcept>.+))"

Re: Regex three lines with same format to create three field extractions

landen99 — Wed, 17 Jun 2015 21:34:25 GMT

I recommend:

(?i)^LOG\s*(?P<log_info>[^:]*):(?P<log_date>[^:]*)

as an automatic field extraction if the events are separated. Otherwise you need to fix the indexing so that the events are separated.