All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract data from log message data using rex field=_raw?

sandysaahil
Engager
‎04-03-2022 05:48 PM

Hi Gurus,

I am trying to extract data from log message using rex field=_raw. The regex I have is 

"Event <(?<eventNo>.*)>, Super <(?<super>.*)>, Charge <(?<oic>.*)>, number <(?<pcn>.*)>, Card <(?<cn>.*)>, CO <(?<co>.*)>, Warn <(?<warn>.*)>" | table _time oic eventNo pcn cn super co warn

and I am able to extract records. but the issue is may or may bot be present is the log and I still need to extract the rest of the data. I tried 

"Event <(?<eventNo>.*)>, Super <(?<super>.*)>, Charge <(?<oic>.*)>, number <(?<pcn>.*)>, Card <(?<cn>.*)>, (CO <(?<co>.*)>,)? Warn <(?<warn>.*)>" | table _time oic eventNo pcn cn super co warn

It gives me the records which does nto contain this item. I want to extract all the records irrestive of whether it is present or not present. Please let me know what am I doing wrong. Thanks a lot in advance.

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-03-2022 11:54 PM

Hi @sandysaahil,

in your logs you have a word thatr identifies each field, so you could create a regex for each field, in this way the other regexes aren't blocked when one field is missed, something like this:

index=your_index
| rex "Event \<(?<eventNo>\w*)"
| rex "Super \<(?<super>\d*)"
| rex "Charge \<(?<oic>\w*)"
| rex "number \<(?<pcn>\d*)"
| rex "Card \<(?<cn>\d*)"
| rex "CO \<(?<co>\w*)"
| rex "Warn \<(?<warn>\w*)" 
| table _time oic eventNo pcn cn super co warn

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎04-03-2022 06:22 PM

Please provide examples of both types of data. I am assuming you are saying that CO may or may not be in the data...?

0 Karma
Reply
Solved! Jump to solution

sandysaahil
Engager
‎04-03-2022 06:37 PM

You are right @bowesmana , the example data is 

Event <E523478>, Super <0>, Charge <N46965>, number <0199327578>, Card <2898005466>, Warn <true>
Event <E523478>, Super <0>, Charge <N46965>, number <0199327578>, Card <2898005466>, Warn <false>
Event <E521244>, Super <2>, Charge <N46965>, number <0199327750>, Card <2898005471>, CO <true>, Warn <true>

In third case, I get the value of CO which is missing from other two log statements. I want to ignore CO in other two but would like to extract CO if available.

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-03-2022 11:54 PM

Hi @sandysaahil,

in your logs you have a word thatr identifies each field, so you could create a regex for each field, in this way the other regexes aren't blocked when one field is missed, something like this:

index=your_index
| rex "Event \<(?<eventNo>\w*)"
| rex "Super \<(?<super>\d*)"
| rex "Charge \<(?<oic>\w*)"
| rex "number \<(?<pcn>\d*)"
| rex "Card \<(?<cn>\d*)"
| rex "CO \<(?<co>\w*)"
| rex "Warn \<(?<warn>\w*)" 
| table _time oic eventNo pcn cn super co warn

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

sandysaahil
Engager
‎04-12-2022 09:27 PM
@gcusello This is working perfectly fine. Thanks for the solution. Just want to check one more thing. one of the rex fields contains hypens. I tried using rex "Expiry \<(?[\d-]*)>" . It onle fetches first record but ignores rest of the same expiry fields from other logs. I get blank column for that. Do you think I am doing something wrong here. It works perfectly for all other words which does not contain special characters.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-12-2022 11:22 PM

Hi @sandysaahil,

I hint to create a new question, so more people can help you better and quicker!

Anyway, in the sample you shared there isn't any hypen, could you share some sample with and without hypens?

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top