https://community.splunk.com/t5/Splunk-Search/regex-field-extraction-question/m-p/33213#M7051 <P>You might better off to <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Indexmulti-lineevents">break up the log lines into individual events</A> by setting the SHOULD_LINEMERGE value to "false" in <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">props.conf</A>.</P> <P>And then use a regex like : </P> <PRE><CODE>(?im)Socket connect\|.*\|Time\staken\sis\s(?&lt;socket_connect_time&gt;.+) </CODE></PRE> <P>You could also add well named field extractions for the other fields too :</P> <PRE><CODE>(?im)Compress\|.*\|Time\staken\sis\s(?&lt;compression_time&gt;.+) (?im)Socket send\|.*\|Time\staken\sis\s(?&lt;socket_send_time&gt;.+) (?im)Process successfully\|Total\sprocessing\stime\sis\s(?&lt;total_processing_time&gt;.+) </CODE></PRE> Mon, 23 Apr 2012 05:20:43 GMT Damien_Dallimor 2012-04-23T05:20:43Z https://community.splunk.com/t5/Splunk-Search/regex-field-extraction-question/m-p/33212#M7050 <P>this is the search i use:<BR /> sourcetype="Outbound" | head 10000 | rex "(?im)^(?:[^:\n]*:){3}\d+\|\w+\s+\w+\s+\w+\s+(?P<SOCKET_TIME>.+)" | top 50 Socket_time</SOCKET_TIME></P> <P>which works and are able to extract the field: socket_time</P> <P>Corrected extracted out data: 0ms (or any time that is specified)</P> <P>however, the moment i identify it as a fieldtype, the extracted data goes all wrong.<BR /> extracted out: <BR /> 0ms <BR /> &lt;and other remaining info from the log are included, making this search giving alot unique hits.</P> <P>Example of one Event:</P> <BLOCKQUOTE> <P>2012-03-21 00:00:12.299 - Socket connect|10.53.16.120:5000|Time taken is 2ms <BR /> 2012-03-21 00:00:12.299 - Compress|From 00173 to 00079| Time taken is 0ms <BR /> 2012-03-21 00:00:12.436 Socket send|10.53.16.120|Time taken is 136ms <BR /> 2012-03-21 00:00:12.436 - Send|00079|BQC911CM00314 BQC911 <COMPRESSED> <BR /> 2012-03-21 00:00:12.436 - &gt; Process successfully|Total processing time is 160ms</COMPRESSED></P> </BLOCKQUOTE> <P>as u can see. im just trying to get the 2ms out. but the search is extracting it all the way to the end of the event. </P> <P>my question to anyone whose willing to help is which regex expression should i put to ignore everything after '2ms'. </P> <P>Thanks!</P> <P>EDIT: i ran it through Field extractor and were able to produce results:<BR /> e.g.<BR /> <FIELDNAME> <COUNT><BR /> 0ms 12 <BR /> 12ms 21<BR /> 19ms 43</COUNT></FIELDNAME></P> <P>BUT. when i select it normally as a field in search app: this is wat shows up:</P> <P>Socket_time=0ms2012-03-21 11:16:51.756 DEBUG - BQC911|Compress|From 00173 to 00078|Time taken is 0ms2012-03-21 11:16:51.877 DEBUG - BQC911|Socket send|10.53.16.120|Time taken is 120ms2012-03-21 11:16:51.877 INFO - BQC911|Send|00078|BQC911CM00413 BQC911 <COMPRESSED>2012-03-21 11:16:51.877 INFO - BQC911|Process successfully|Total processing time is 127ms</COMPRESSED></P> <P>basically the entire 'event' has been absorbed into this fieldname. </P> Mon, 23 Apr 2012 04:53:06 GMT https://community.splunk.com/t5/Splunk-Search/regex-field-extraction-question/m-p/33212#M7050 attgjh1 2012-04-23T04:53:06Z https://community.splunk.com/t5/Splunk-Search/regex-field-extraction-question/m-p/33213#M7051 <P>You might better off to <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Indexmulti-lineevents">break up the log lines into individual events</A> by setting the SHOULD_LINEMERGE value to "false" in <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">props.conf</A>.</P> <P>And then use a regex like : </P> <PRE><CODE>(?im)Socket connect\|.*\|Time\staken\sis\s(?&lt;socket_connect_time&gt;.+) </CODE></PRE> <P>You could also add well named field extractions for the other fields too :</P> <PRE><CODE>(?im)Compress\|.*\|Time\staken\sis\s(?&lt;compression_time&gt;.+) (?im)Socket send\|.*\|Time\staken\sis\s(?&lt;socket_send_time&gt;.+) (?im)Process successfully\|Total\sprocessing\stime\sis\s(?&lt;total_processing_time&gt;.+) </CODE></PRE> Mon, 23 Apr 2012 05:20:43 GMT https://community.splunk.com/t5/Splunk-Search/regex-field-extraction-question/m-p/33213#M7051 Damien_Dallimor 2012-04-23T05:20:43Z https://community.splunk.com/t5/Splunk-Search/regex-field-extraction-question/m-p/33214#M7052 <P>the whole chunk of text are one entire event. that's why its annoying =/ <BR /> wondering if there's any regex that ignores remaining lines?</P> Mon, 23 Apr 2012 05:35:28 GMT https://community.splunk.com/t5/Splunk-Search/regex-field-extraction-question/m-p/33214#M7052 attgjh1 2012-04-23T05:35:28Z https://community.splunk.com/t5/Splunk-Search/regex-field-extraction-question/m-p/33215#M7053 <P>Well if you really want to stick with 1 single merged event :</P> <P>(?im)Socket connect\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{2,5}\|Time\staken\sis\s(?<SOCKET_CONNECT_TIME>\d+ms)</SOCKET_CONNECT_TIME></P> Mon, 23 Apr 2012 05:59:03 GMT https://community.splunk.com/t5/Splunk-Search/regex-field-extraction-question/m-p/33215#M7053 Damien_Dallimor 2012-04-23T05:59:03Z https://community.splunk.com/t5/Splunk-Search/regex-field-extraction-question/m-p/33216#M7054 <P>thanks alot <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 24 Apr 2012 01:50:00 GMT https://community.splunk.com/t5/Splunk-Search/regex-field-extraction-question/m-p/33216#M7054 attgjh1 2012-04-24T01:50:00Z