topic Re: Regex to extract two strings from log and make as field in Splunk Search

Regex to extract two strings from log and make as field

pingdpk — Tue, 21 Feb 2017 12:08:00 GMT

Log - (given 2 lines for example)

2017/02/21 03:46:12.119-0800 [http-bio-8480-exec-3] C3AF4B3F9C2E40D2006D1513C81191A6.pppxwbtect014 INFO  c.e.c.w.b.r.ShirtsSaleResource -  #xHoster#  #**res_ShirtServiceTosite**#  ShirtsSaleResource.getLossier  , URI ->  /{1856659}  , Time taken to get JSON -> **58** milliseconds

2017/02/21 03:46:08.489-0800 [http-bio-8480-exec-2] 82F757837394C2E950AEB9A47043DD61.pppxwbtect010 INFO  c.e.c.p.m.i.CmppRestClientImpl -  #xHoster#  #**res_CmppToShirtService**#  CmppRestClientImpl.prepareChange  , URI -> http://ppp-Shirteu.ch.expeso.com:52008/order/PrepareChange , Time taken to get XML response ->  **178** milliseconds

Expected output :

Field1                            Field2
res_ShirtServiceToSite            58
res_CmppToShirtService            178

I tried :

index=app source=/var/log* "#xHoster#" | rex field=_raw res_(?.*)# | rex field=_raw .\-\>\s(?.*)\smilliseconds |table ptype,ptime

Re: Regex to extract two strings from log and make as field

rjthibod — Tue, 21 Feb 2017 13:12:46 GMT

How about this

index=app source=/var/log* "#xHoster#" 
| rex field=_raw  "#(?<ptype>res_[^#]+)#.+\-\>\s*(?<ptime>\d+)\s*milliseconds" 
| table ptype ptime

Re: Regex to extract two strings from log and make as field

alacercogitatus — Tue, 21 Feb 2017 13:45:31 GMT

I came up with \*\*(?<ptype>res_[^\*]+)\*\*.*?\*\*(?<ptime>\d+)\*\*

Re: Regex to extract two strings from log and make as field

nikhilb0763 — Wed, 22 Feb 2017 19:49:26 GMT

How about this:

rex field=_raw "(?res_[^*]+)" | rex field=_raw "\*(?\d+)"

Re: Regex to extract two strings from log and make as field

zanb — Wed, 22 Feb 2017 22:03:08 GMT

Here's my RegEx:

(?P<ptype>res_\w+).*\*\*(?P<ptime>\d+)

Re: Regex to extract two strings from log and make as field

aaraneta_splunk — Thu, 20 Apr 2017 00:58:18 GMT

@pingdpk - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!