Solved: Regex Help

alan20854 · ‎07-13-2016

Hello,

I am trying to create a table on my dashboard with the time stamp and the buildID. However, I am having regex trouble with my search.

Here is the search without the field extraction: host= x source= x "PDD_BUILDID". These events contain the buildID in a format such as [BUILDID=APP-2016.8-20160712194753]

This is my current search:

host= x source= x  "PDD_BUILDID"|rex field=_raw "BUILDID=(?P<build>\w*\d*\w*\d*\w*\d*)\x5D" | table build

I would like my table to contain the time and buildIDs such as APP-2016.8-20160712194753.

What am I doing wrong?

sundareshr · ‎07-13-2016

Try this

 host= x source= x  "PDD_BUILDID"|rex field=_raw "BUILDID=(?P<build>[^\]]+)" | table build

View solution in original post

somesoni2 · ‎07-13-2016

Try like this

 host= x source= x  "PDD_BUILDID"|rex field=_raw "BUILDID=(?P<build>[^-]+-[^-]+)-(?<time>\d+)" | table build time | rex mode=sed field=time "s/(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})/\1-\2-\3- \4:\5:\6/g"

sundareshr · ‎07-13-2016

Try this

 host= x source= x  "PDD_BUILDID"|rex field=_raw "BUILDID=(?P<build>[^\]]+)" | table build

Regex Help

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation