Solved: Need help with a Rex command

Mrig342 · ‎01-26-2021

Hi,

I am trying to extract "Sync_State" from the below logs types:

log1: Synchronization : In Sync

log2: Synchronization : Out of Sync

I created the rex command "(?ms)Synchronization\s:\s(?<Sync_State>\w+\s\w+)". Using this I am getting "In Sync" in the right way but for "Out of Sync" I am getting only "Out of".

Please help me create a rex command to extract the field values in the desired way.

Thank you.

ITWhisperer · ‎01-26-2021

OK either just remove the $ or add State to the end

rex "(?ms)Synchronization\s:\s(?<Sync_State>[\w\s]+Sync)\sState"

View solution in original post

ITWhisperer · ‎01-26-2021

| rex "(?ms)Synchronization\s:\s(?<Sync_State>[\w\s]+Sync$)"

Although, without the complete log entry, it may be that $ is inappropriate and something else would be better suited to denote the end of the value

Mrig342 · ‎01-26-2021

Hi ITWhisperer,

Thank you for your response. However it didn't work for me.

If you want to check the complete log entry then please find it below:

log1: Mon Jan 25 19:07:03 EST 2021 Node Id :47337 Node State : Not running Synchronization : In Sync State : Stopped Number of template version : 6

log2: Mon Jan 25 19:07:03 EST 2021 Node Id :47337 Node State : Running Synchronization : Out of Sync State : Stopped Number of template version : 6

ITWhisperer · ‎01-26-2021

OK either just remove the $ or add State to the end

rex "(?ms)Synchronization\s:\s(?<Sync_State>[\w\s]+Sync)\sState"

Mrig342 · ‎01-26-2021

Thank you very much ITWhisperer.. It worked. Your support is much much appreciated.

Need help with a Rex command

token

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor