extract characters after colon

ksharany · ‎07-09-2018

Hi ,

My log consists of below

msg: 2018-07-07 14:30:02.226 INFO 7 --- [nio-8080-exec-6] c.f.p.a.service.CGEventRetimeService : <> : 12006

I need to extract the values after <> : i.e) 12006 alone and create alert to be sent to user .

How do I do it ?

PowerPacked · ‎07-10-2018

Hi @ksharany

Take a look at this.

Thanks

FrankVl · ‎07-09-2018

Two options:

use the characters in front of it as demarkation point: | rex "\<\>\s+:\s+(?<field1>\d+)" https://regex101.com/r/0na0Fq/1
if it is really at the end of the event and you don't have other (similar) logs that cause issues, you can grab if from the end of the string: | rex "(?<field1>\d+)$" https://regex101.com/r/0na0Fq/2

Note that second option is a simpler regex, but less efficient.

jodyfsu · ‎07-09-2018

This should work:

| rex "\<\>\s\:\s(?<NUMBERS>\d+)"

Let us know if you need more help.

ksharany · ‎07-10-2018

To be more precise - i need to search for msg with " Invalid Retimed Control Group " text and extract the highlighted felds

msg: 2018-07-07 14:30:02.226 INFO 7 --- [nio-8080-exec-6] c.f.p.a.service.CGEventRetimeService : < Invalid Retimed Control Group > : CCF 2018 12006

and display the highlighted bold once as separate columns in CSV file as below

Date - 2018-07-07
Time - 14:30:02
PTVL - CCF
MY - 2018
CG - 12006

jodyfsu · ‎07-10-2018

give this a shot:

| rex "^msg\:\s(?<DATE>.[^\s]+)\s(?<TIME>.[^\s]+).[^\:]+\:.[^\:]+\:\s(?<PTVL>.[^\s]+)\s(?<MY>.[^\s]+)\s(?<CG>.[^\s]+)"

jodyfsu · ‎07-10-2018

You will want to do
| table DATE TIME PTVL MY CG

extract characters after colon

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?