Re: Need Regex for a field extraction

sekhar463 · ‎03-01-2023

hai all,

need help on regex to extract Major as new field with message whatever after Major

Major SIPCM *SipCmRecvFromTcpSocket: Error in reading data on socketId 247, errno=104

Major NRS ARP lookup for 216.20.237.19 on interface pkt0 with addrContextId 1 failed: SIOGARP error , error 6

Major LVM *NpMediaYmacRespHdlr: error code 0x3 recvd for bcm cmd 4

sekhar463 · ‎03-01-2023

Want to extract all message after Major and keep in a new fields as Major

gcusello · ‎03-01-2023

Hi @sekhar463,

ok, all after Major in a field called "Major", please try this:

| rex "^Major\s+(?<Major>.*)"

that you can test at https://regex101.com/r/HBKc52/2

Ciao.

Giuseppe

gcusello · ‎03-01-2023

Hi @sekhar463,

let me understand:

you want to extract the word after Major (SIPCM, NRS and LVM) in a field called "Major" and the string after these values to the end as "message" field, is it correct?

if this is your need, please try this regex:

| rex "^Major\s+(?<major>\w+)\s+(?<message>.*)"

that you can test at https://regex101.com/r/HBKc52/1

Ciao.

Giuseppe

Help with Regex for a field extraction?

field extraction

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Join the Conversation

Help with Regex for a field extraction?

field extraction

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...