Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fetch file name from raw logs

aditsss
Motivator
‎08-31-2023 03:09 AM

Hi Team,

2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

 

2023-08-27 07:38:31.688 [INFO ] [Thread-31] TriumphCancelTransferProcessor - TRIM.CNX event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

I want to fetch filenames(bold) from row logs: TRIM.UNBILLED and TRIM.CNX

my current query:

index="abc"sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "event published to ebnc:" NOT "Utils -" | rex " event published to ebnc: \[\{\"status\":\"(?<status>.*)\",\"description\":\"(?<description>.*)\"\}\]" | eval message="event published to ebnc"
| table message status description

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 03:30 AM

Hi @aditsss,

is the processor word always present?

if yes, please try:

! rex "Processor - (?<field>[^ ]*)"

in other words, you have to find a rule to apply to the regex to identify the part to extract.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 03:13 AM

Hi @aditsss,

please try the following regex:

! rex "Triumph.*Processor - (?<field>[^ ]*)"

that you can test at https://regex101.com/r/XNehPc/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎08-31-2023 03:25 AM

@gcusello 

It will not always 

"Triumph.*Processor

CarsUnbilledProcessor - CARS.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

2023-08-30 04:30:48.058 [INFO ] [Thread-43] TriumphProductProcessor - TRIM.PRD event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

Its both CARS and Triumph 

@gcusello can you provide me regex now.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 03:30 AM

Hi @aditsss,

is the processor word always present?

if yes, please try:

! rex "Processor - (?<field>[^ ]*)"

in other words, you have to find a rule to apply to the regex to identify the part to extract.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 03:54 AM

Hi @aditsss,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise Security 8.0!

Join us on Wednesday, November 20 to learn about Splunk Enterprise Security 8.0!To enhance SOC efficiency, ...

Mastering Threat Hunting

Register to watch Mastering Threat Hunting on Monday, November 18Join us for an insightful talk where we dive ...

Upcoming Community Maintenance: 10/28

Howdy folks, just popping in to let you know that the Splunk Community site will be in read-only mode ...