topic Re: How to use Rex command to extract this field from my sample log? in Splunk Search

How to use Rex command to extract this field from my sample log?

Abilan1 — Mon, 02 Nov 2015 13:27:22 GMT

Hi,

Sample log file:

STD QBATCH:P GRAUT 77718 R5609812_S0000001_5847829

I want to create that highlighted term as a new event field. Only STD in that above line will be common in all over the logs, remaining words or characters may change. So I am not sure how to use Rex here. Also in the same indexed line it may occurs many time.

Thanks!

Re: How to use Rex command to extract this field from my sample log?

aholzer — Mon, 02 Nov 2015 13:53:42 GMT

Are the number of whitespaces between the "STD" and the value you want consistent?

If yes, then this should do the trick:

... | rex "STD\s([^\s]+\s){3}(?P<your_field>([^_]+_){2}))"

It will store this R5609812_S0000001_ as the value of your_field. If you don't want the second underscore in your value, you can do the following:

... | eval your_field = substr(your_field,1,len(your_field)-1)

Hope this helps.

Re: How to use Rex command to extract this field from my sample log?

Abilan1 — Mon, 02 Nov 2015 14:07:00 GMT

hi,

Thanks for your reply! whitespaces will vary.it's not constant.

Re: How to use Rex command to extract this field from my sample log?

aholzer — Mon, 02 Nov 2015 14:13:44 GMT

Can you provide more samples then?

Re: How to use Rex command to extract this field from my sample log?

woodcock — Mon, 02 Nov 2015 14:13:58 GMT

Like this:

| rex "(?<myField>[^\s_]+_[^\s_]+)_[^\s_]+$"

Re: How to use Rex command to extract this field from my sample log?

Abilan1 — Tue, 29 Sep 2020 07:47:38 GMT

Please find below

STD QBATCH:P ALIUYFG 54902 R5641003_A0000002_5853971

STD QBATCH:P JUCHOI 158875 R5641003_A0000002_5870061

STD QBATCH:P GYLUT 23335 R5609811_A0000003_5871713

Re: How to use Rex command to extract this field from my sample log?

aholzer — Tue, 29 Sep 2020 07:47:40 GMT

There are exactly 4 whitespaces between the "STD" and the value you want in every one of your samples. That seems pretty consistent.

Also can you clarify what you want to capture? Is it:
R5609811_A0000003_5871713
or
R5609811_A0000003_
or
R5609811_A0000003

Re: How to use Rex command to extract this field from my sample log?

aholzer — Mon, 02 Nov 2015 14:25:01 GMT

@Abilan1 what @woodcock here has said will work - if you add a close parenthesis after the dollar sign. It will capture everything between the last whitespace and the end as "myField". You can then use substring or further rex to extract just the first parts of that field.

Re: How to use Rex command to extract this field from my sample log?

Abilan1 — Mon, 02 Nov 2015 14:54:28 GMT

This one

R5609811_A0000003

Re: How to use Rex command to extract this field from my sample log?

aholzer — Mon, 02 Nov 2015 15:02:08 GMT

Try this:

| rex "\s(?<myField>[^\s_]+_[^\s_]+)_"

Based off of @woodcock 's answer

@Abilan1 I had a typo, I have removed the second close parenthesis from my answer

Re: How to use Rex command to extract this field from my sample log?

Abilan1 — Mon, 02 Nov 2015 15:08:55 GMT

I am getting "Regex: unmatched parentheses" error..

Re: How to use Rex command to extract this field from my sample log?

aholzer — Mon, 02 Nov 2015 15:15:09 GMT

I had a typo. I have edited my comment to remove it.

I had a second close parenthesis.

Re: How to use Rex command to extract this field from my sample log?

Abilan1 — Tue, 29 Sep 2020 07:47:48 GMT

hi,

Thank You! It is capturing only 1st record from that indexed line..As I said earlier, am having more records in the same line..

STD QBATCH:P ALIUYFG 54902 R5641003_A0000002_5853971

STD QBATCH:P JUCHOI 158875 R5641003_A0000002_5870061

STD QBATCH:P GYLUT 23335 R5609811_A0000003_5871713

Re: How to use Rex command to extract this field from my sample log?

aholzer — Mon, 02 Nov 2015 15:26:56 GMT

Do you mean that a single Splunk event can contain multiple lines from which you want to capture said field?

So for example the three samples you have provided above are a single event?