topic Re: How to edit my regex to extract this value from my data? in Splunk Search

How to edit my regex to extract this value from my data?

ibekacyril — Thu, 07 Apr 2016 18:54:57 GMT

This should be an easy thing to do but obviously, I am missing it. I need to extract "cannot be located"

c.f.a.k.m.SessionDaoImpl - The owner with id: s3498-34ef-034456d-c65a5678-fcd4-11e5-a5d4f cannot be located

[2016-04-07 15:41:44,760]

Here is my code:

my search | rex  "c\.f\.a\.k\.m\.SessionDaoImpl\s\-\sThe\sowner\swith\sid:\s[\w+\d+]\s(?<captureThis>\w+)"\[

Thanks in advance

Re: How to edit my regex to extract this value from my data?

javiergn — Thu, 07 Apr 2016 19:12:19 GMT

Try this instead:

my search 
| rex "(?msi):\s+[\w\-]+\s+(?<message>[\w\s]+)"

And then use the message variable as you wish.

EDIT to include code description as requested:

(?msi) --> support for multiline, "single line mode" makes the dot match all characters including line breaks, case insensitive
:\s+ --> find a colon followed by multiple blank spaces
[\w\-]+\s+ --> Look for 1 or more alphanumerical characters or hyphens followed by 1 or more blanks
(?<message>[\w\s]+) --> capture in the token message 1 or more alphanumerical or blank space characters

Re: How to edit my regex to extract this value from my data?

ibekacyril — Thu, 07 Apr 2016 20:10:22 GMT

Hi javiergn, I am only able to extract doesn. Could you explain you code too?
Thanks

Re: How to edit my regex to extract this value from my data?

ibekacyril — Thu, 07 Apr 2016 20:14:45 GMT

Just tweaked it and got "doesn't exist" by adding \'. How can I tweak it to get:
The owner with id doesn't exist

Thanks

Re: How to edit my regex to extract this value from my data?

javiergn — Thu, 07 Apr 2016 20:34:57 GMT

Hi,

I'm not sure what you mean. For instance, if I run the following in order to replicate your logs:

| stats count
| eval _raw ="c.f.a.k.m.SessionDaoImpl - The owner with id: s3498-34ef-034456d-c65a5678-fcd4-11e5-a5d4f cannot be located [2016-04-07 15:41:44,760]"
| rex "(?msi):\s+[\w\-]+\s+(?<message>[\w\s]+)"
| table message

I get the output:

message
cannot be located

Isn't that what you are trying to achieve?
If not, can you post your whole query here so that we can investigate a bit more?

Thanks,
J

Re: How to edit my regex to extract this value from my data?

ibekacyril — Fri, 08 Apr 2016 14:39:13 GMT

Hi J, I finally got it working. Thanks, it was my mistake

Re: How to edit my regex to extract this value from my data?

ibekacyril — Fri, 08 Apr 2016 15:15:50 GMT

Hi J, is there a way of combining two rex searches together say the first one like above and then I have this second rex "[Status] .+? - (?.+)" | code that combines message and output into one name (outMessage)

Re: How to edit my regex to extract this value from my data?

javiergn — Sat, 09 Apr 2016 12:59:09 GMT

You could do something like:

your search here
| rex "(?msi):\s+[\w\-]+\s+(?<message>[\w\s]+)"
| rex "\[Status\] .+?\-(?<output>.+)"
| eval outMessage = message + output

Careful with your regex by the way. If you don't escape the special characters it won't work as expected.