Field Extraction

sahana · ‎12-16-2021

Hi

I have requirement to fetch the some value like asf55-hsgf-56bj4b-rdhh-5b4f, this values are sent from the applications in two different ways like

1)message: dhgfsjd{endbjjdfg, country=hongkong, server=gvfhsd, idVal=asf55-hsgf-56bj4b-rdhh-5b4f, error=gvrf hdfhdsf, errorCode=47574}

The another format is

2)message: dhgfsjd{endbjjdfg, country=[hongkong], server=[gvfhsd], idVal=[asf55-hsgf-56bj4b-rdhh-5b4f], error=[gvrf hdfhdsf], errorCode=[47574]}

I was suppose to extract the idval value which should satisfy the above case.

I have tried with below rex command,

|rex field = message "(idVal={1}(?P<ppid>.+?,))" | eval value =split(ppid,",")

output :asf55-hsgf-56bj4b-rdhh-5b4f

the above command is working fine for first case alone but we have the logs with second case it returns output as [asf55-hsgf-56bj4b-rdhh-5b4f]

isoutamo · ‎12-16-2021

Hi

you can replace your rex string to this and remove last eval at the same time

| rex field=message "idVal=\[?(?P<ppid>.+?)\]?,"

r. Ismo

Field Extraction

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Field Extraction

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk