Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Could someone help me with Regex to extract suitable fields?

sphiwee
Contributor
‎04-05-2022 05:27 AM

I have the below log and I'm using the following regex to extract these fields "date", "process" ,"step", "user", "log level" 

rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s+\[(?<Process>\[[^\]]+\][^\]]+)\]\s+\[(?<Step>[^\]]+)\]\s+\[(?<User>[^\]]+)\]\s+[^\[]+\[(?<Log_level>[^\]]+)


When the log is like the first entry data is extracted without an issue, but once it's like the last three entries nothing is extracted, how can I solve this. 

2021-09-28 10:20:27 [machine-run-76416-hit-644640-step-12470][Business Process Name][Business Process Step Name][Bot Users] MetadataStorage [ERROR] Boot failed

2022-04-04 23:30:16 [http-nio-127.0.0.1-7080-exec-3] [] [] [] DataBaseChecker [DEBUG] Checking MySQL ...
2022-04-04 23:30:16 [http-nio-127.0.0.1-7080-exec-3] [] [] [] DatabaseVersionChecker [INFO] Database is up to date.
2022-04-04 23:30:16 [http-nio-127.0.0.1-7080-exec-3] [] [] [] DataBaseChecker [DEBUG] Checking PostgreSQL ...
2022-04-04 23:30:16 [http-nio-127.0.0.1-7080-exec-3] [] [] [] OcrHealthChecker [DEBUG] Checking OCR ...


Labels (3)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-05-2022 05:52 AM

Your log messages don't quite tally with the regex you say works (as @gcusello ) pointed out. If the spaces are supposed to be absent, try this

^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)

https://regex101.com/r/WvRDp5/1 

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-05-2022 05:52 AM

Your log messages don't quite tally with the regex you say works (as @gcusello ) pointed out. If the spaces are supposed to be absent, try this

^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)

https://regex101.com/r/WvRDp5/1 

Reply
Solved! Jump to solution

sphiwee
Contributor
‎04-05-2022 11:33 AM

Thanks this works, how can I also extract the words after the error? So i can identify the error that I received

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-05-2022 11:40 AM 
^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)\]\s*(?<Error>.+)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-05-2022 05:45 AM

Hi @sphiwee,

please check this regex:

| rex "^(?<timestamp>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s+\[(?<business_process_name>[^\]]*)\]\s+\[(?<business_process_step>[^\]]*)\]\s+\[(?<users>[^\]]*)\]\s+\w+\s+\[(?<error>[^\]]*)\]"

that you can test at https://regex101.com/r/NuLFWU/1

put attention to this point: you have some missing space in the first row.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...