Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fetch file name from raw logs

aditsss
Motivator
‎08-31-2023 03:09 AM

Hi Team,

2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

 

2023-08-27 07:38:31.688 [INFO ] [Thread-31] TriumphCancelTransferProcessor - TRIM.CNX event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

I want to fetch filenames(bold) from row logs: TRIM.UNBILLED and TRIM.CNX

my current query:

index="abc"sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "event published to ebnc:" NOT "Utils -" | rex " event published to ebnc: \[\{\"status\":\"(?<status>.*)\",\"description\":\"(?<description>.*)\"\}\]" | eval message="event published to ebnc"
| table message status description

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 03:30 AM

Hi @aditsss,

is the processor word always present?

if yes, please try:

! rex "Processor - (?<field>[^ ]*)"

in other words, you have to find a rule to apply to the regex to identify the part to extract.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 03:13 AM

Hi @aditsss,

please try the following regex:

! rex "Triumph.*Processor - (?<field>[^ ]*)"

that you can test at https://regex101.com/r/XNehPc/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎08-31-2023 03:25 AM

@gcusello 

It will not always 

"Triumph.*Processor

CarsUnbilledProcessor - CARS.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

2023-08-30 04:30:48.058 [INFO ] [Thread-43] TriumphProductProcessor - TRIM.PRD event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

Its both CARS and Triumph 

@gcusello can you provide me regex now.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 03:30 AM

Hi @aditsss,

is the processor word always present?

if yes, please try:

! rex "Processor - (?<field>[^ ]*)"

in other words, you have to find a rule to apply to the regex to identify the part to extract.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 03:54 AM

Hi @aditsss,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...