topic Re: rex value up until 2 optional words in Splunk Search

rex value up until 2 optional words

Cuyose — Thu, 16 Apr 2015 18:37:15 GMT

If I wanted to find the string "This is the error I want" in the following 2 events, what would the rex look like. I can't believe its not a common issue as I can not find a syntax in documentation anywhere that works

Message=This is the error I want. - ea1ff4f5-8c97-4ac4-9ba1-0f533a33f62b

Message=This is the error I want

Re: rex value up until 2 optional words

masonmorales — Thu, 16 Apr 2015 18:47:12 GMT

Assuming there aren't any periods in the error you want, you could do:

rex "Message=(?<Yourfieldname>[^\.]+)"

If there are periods, you could do:

rex "Message=(?<Yourfieldnamehere>[^\s\-\s]+)\s\-\s"

rex "Message=(?<Yourfieldnamehere>.+)\s\-\s"

You can also try out your own expressions at: http://www.regexr.com/

Re: rex value up until 2 optional words

Cuyose — Thu, 16 Apr 2015 18:51:09 GMT

Hmm, I kinda figured this would be harder to explain. I needed to provide better examples. I edited the events. Basically it HAS to look for an end anchor that can be multiple strings.

Message=This is the. - error I want. - ea1ff4f5-8c97-4ac4-9ba1-0f533a33f62b

Message=This. - is the error I want

Re: rex value up until 2 optional words

masonmorales — Fri, 17 Apr 2015 20:30:19 GMT

Sorry, I'm not following. Perhaps you could explain another way? Also, please note that it is discourteous to down vote answers of people that are trying to help you.