Dashboards & Visualizations

How to fetch file name from raw logs

aditsss
Motivator

Hi Team,

2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

 

2023-08-27 07:38:31.688 [INFO ] [Thread-31] TriumphCancelTransferProcessor - TRIM.CNX event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

I want to fetch filenames(bold) from row logs: TRIM.UNBILLED and TRIM.CNX

my current query:

index="abc"sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "event published to ebnc:" NOT "Utils -" | rex " event published to ebnc: \[\{\"status\":\"(?<status>.*)\",\"description\":\"(?<description>.*)\"\}\]" | eval message="event published to ebnc"
| table message status description

 

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

is the processor word always present?

if yes, please try:

! rex "Processor - (?<field>[^ ]*)"

in other words, you have to find a rule to apply to the regex to identify the part to extract.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

please try the following regex:

! rex "Triumph.*Processor - (?<field>[^ ]*)"

that you can test at https://regex101.com/r/XNehPc/1

Ciao.

Giuseppe

0 Karma

aditsss
Motivator

@gcusello 

It will not always 

"Triumph.*Processor

CarsUnbilledProcessor - CARS.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

2023-08-30 04:30:48.058 [INFO ] [Thread-43] TriumphProductProcessor - TRIM.PRD event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

Its both CARS and Triumph 

@gcusello can you provide me regex now.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

is the processor word always present?

if yes, please try:

! rex "Processor - (?<field>[^ ]*)"

in other words, you have to find a rule to apply to the regex to identify the part to extract.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...