All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regex for Field Extraction

robhorton
Explorer
‎06-27-2013 05:42 PM

I've been trying to create a regex to generate a field name without success. The data I'm attempting to parse looks like:

logsrv> Message server exiting.

I would like to make logsrv represent a subsystem so that my field is subsystem and logsrv is the data for that field.

So far I have the following expression that works on a regex tester: ^.*?(?=>)
but I'm missing something with Splunk since it won't return any results no matter I try. The field extractor doesn't have any luck either when I try to create the expression using logsrv from the results.

Please help.

0 Karma
Reply

Rob
Splunk Employee
Splunk Employee
‎06-27-2013 05:48 PM

Have you tried testing this out with the rex command in Splunk with the search language?

|rex field=_raw "^(?<subsystem>[^>]+)>"

I am not sure if that will work if your raw event has anything before the "logsrv>" in the event line such as a timestamp.

Reply

robhorton
Explorer
‎06-27-2013 05:57 PM

Thank you! You're right. The data has the timestamp on the previous line and splunk returns results with the time and logsrv combined.

Data:
27-Jun-13 19:34:37
logsrv> Message server exiting.

Result:
27-Jun-13 19:34:37 logsrv

Do I need to search for a preceding carriage return or pattern match the time?

Thanks again!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...