https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167240#M47605 <P>This is exactly what I wanted thank you very much!</P> Mon, 22 Jun 2015 20:13:59 GMT shrirangphadke 2015-06-22T20:13:59Z https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167235#M47600 <P>Hi,</P> <P>I am trying to extract few fields out of logs but Splunk field extraction is not working in my case.</P> <P>For example:</P> <PRE><CODE>2015-06-17 13:48:55,689 abc-field [SystemEvent] Time:'June 17, 2015 8:48:55 PM GMT',Severity:'Critical', Event Source:'domain-c0', Code:'301503', Event Message:'Failed to publish abcd configuration version 1408159473758 to cluster domain-c0. Refer logs for details', Module:'abcd something' 2015-06-17 13:48:55,620 abc-xyz-something June 17, 2015 8:48:55 PM GMT INFO SimpleAsyncTaskExecutor-1 SystemEventDaoImpl:124 - [SystemEvent] Time:'June 17, 2015 8:48:55 PM GMT',Severity:'Informational', Event Source:'edge-0', Code:'30101', Event Message:'abcd was booted', Module:'abcd something Appliance' </CODE></PRE> <P>In above two log snippets I am trying to extract value of the field "Severity".<BR /> But since the position of field "Severity" in both the logs are different Splunk returns the field such as:<BR /> 1. Critical<BR /> 2. June</P> <P>Probably it is because Splunk does regex parsing based on position.</P> <P>I want to extract the fields based on pre-context and post-context.<BR /> For example:<BR /> Pre-context: "Severity:'"<BR /> Required value<BR /> Post-context: "', Event"</P> <P>I am completely stuck here. Please help. </P> Fri, 19 Jun 2015 00:55:08 GMT https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167235#M47600 shrirangphadke 2015-06-19T00:55:08Z https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167236#M47601 <P>Assuming these are the only 2 variants, try this:</P> <PRE><CODE>... | rex "^.*?Severity\s*:\s*'?(?&lt;Severity&gt;[^'\s]+)" </CODE></PRE> Fri, 19 Jun 2015 01:04:37 GMT https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167236#M47601 woodcock 2015-06-19T01:04:37Z https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167237#M47602 <P>Thank you very much for your answer !<BR /> Now it will take me another day to understand this <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Fri, 19 Jun 2015 01:13:26 GMT https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167237#M47602 shrirangphadke 2015-06-19T01:13:26Z https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167238#M47603 <P>Is there any Splunk regex tutorial which I can follow ?</P> Fri, 19 Jun 2015 01:19:05 GMT https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167238#M47603 shrirangphadke 2015-06-19T01:19:05Z https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167239#M47604 <P>I learned by doing but that's just the way I am. So although I cannot help you much there, I can suggest some tools. My favorite is <CODE>Expresso</CODE> which is free. I use this almost every day. It does a good job of "translating" the RegEx to english on the right side so that when somebody gives you a solution (like I did), it will show you bit-by-bit which each part of the RegEx is doing.</P> Fri, 19 Jun 2015 01:23:37 GMT https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167239#M47604 woodcock 2015-06-19T01:23:37Z https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167240#M47605 <P>This is exactly what I wanted thank you very much!</P> Mon, 22 Jun 2015 20:13:59 GMT https://community.splunk.com/t5/Splunk-Search/Context-based-regex-field-extraction/m-p/167240#M47605 shrirangphadke 2015-06-22T20:13:59Z