topic Re: What is the proper regex syntax to use rex to create 4 new fields? in Splunk Search

What is the proper regex syntax to use rex to create 4 new fields?

akelly4 — Mon, 28 Sep 2020 18:18:44 GMT

I have a log line that looks like the following:

2014-11-28 19:28:42 smx02 postfix/smtp[57736]: 6F7471C73AC_479133AF: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.13, delays=0.01/0/0/0.12, dsn=2.0.0, status=sent (250 OK, sent 5479133A_6994_12793_1 8E560172844_479133AB)

I want to use regex to create 4 new fields.

Field1 - 6F7471C73AC_479133AF (number/letter combinations)
Field2 - 5479133A_6994_12793_1 (number/letter combinations)
Field3 - 8E560172844_479133AB (number/letter combinations)
Field 4 - 57736 (Always number)

I know I can use the rex field=FIELDNAME command, but I can't seem to get the syntax to work.

Is there anyone that can point me in the right direction or give me some times on how to create these fields. I really just want to understand the Splunk syntax.

Re: What is the proper regex syntax to use rex to create 4 new fields?

richgalloway — Tue, 02 Dec 2014 19:48:27 GMT

For problems like this, RegExr is a great tool. Using it and your sample event, I came up with this.

rex "\[(?<Field4>\d+)]:\s+(?<Field1>\S+):[\s\S]+?, sent (?<Field2>\S+) (?<Field3>\S+)"

Re: What is the proper regex syntax to use rex to create 4 new fields?

ppablo — Tue, 02 Dec 2014 20:06:31 GMT

Also, here's a previous Answers posts with a collection of users' favorite resources for regex help 🙂

http://answers.splunk.com/answers/153171/is-there-any-online-regex-tool-to-create-regular-e.html

Re: What is the proper regex syntax to use rex to create 4 new fields?

abhay1991 — Tue, 29 Sep 2020 22:00:21 GMT

/apps/IHSLogs/com-ihs85-pd01-01/IRXWebCommon/access_log_2018-11-16

how to extract this field