Re: extract string to a field

navd · ‎06-17-2018

I have some strings appearing in the events , i want to extract them ,it doesnt have any keyvalue pair
sample event :-
6/15/18
4:53:00.123 PM 420420 1529074380797 2018-06-15 14:53:00.797 10.224.34 - - - - prod abc.services ffffffffdcfb607e-186-16403ef6ffd000 ERROR ERROR - - - - com.data.driver.core.exceptions.NouserAvailableException: All user(s) tried for query failed

so from the above event I would want to extract "com.data.driver.core.exceptions.NouserAvailableException"

vinod94 · ‎06-18-2018

if the events are of the same type, you can try this...

| makeresults 
| eval data="6/15/18
4:53:00.123 PM 420420 1529074380797 2018-06-15 14:53:00.797 10.224.34 - - - - prod abc.services ffffffffdcfb607e-186-16403ef6ffd000 ERROR ERROR - - - - com.data.driver.core.exceptions.NouserAvailableException: All user(s) tried for query failed" 
| rename data as _raw 
| rex field=_raw "ERROR\s\-\s\-\s\-\s\-(?P<field_name>[^\:]+)"

lloydknight · ‎06-17-2018

Hello @navd

You may refer to this link to access the field extractor,
Or you can extract fields using regex. See link.

Also, if the provided sample event is in uniform with the succeeding events, try this query:

your base search | rex "\ERROR ERROR - - - - (?<Exception>.*)\:"

Hope it helps!

Ayn · ‎06-17-2018

What other data around it can you rely on to stay the same? Are the dashes before your text static for instance? Did you try the interactive field extractor?

extract string to a field

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes