extract a string from a splunk event

Mohsin123 · ‎01-16-2018

Hi ,

Can anyone please give me the props for removing hostname= and path= strings from the below event

hostname=ip-10-13-0-248 path=/var/log/armorvox/2018/01/armorvox.2018-01-16.log 2018-01-16 11:07:20.507 main WARN o.e.j.u.component.AbstractLifeCycle: FAILED org.eclipse.jetty.server.Server@96def03: java.lang.IllegalStateException: no valid keystore
java.lang.IllegalStateException: no valid keystore
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(SourceFile:48)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SourceFile:1030)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SourceFile:255)

mayurr98 · ‎01-16-2018

hey you can try this run anywhere search

| makeresults | eval _raw="hostname=ip-10-13-0-248 path=/var/log/armorvox/2018/01/armorvox.2018-01-16.log 2018-01-16 11:07:20.507 main WARN o.e.j.u.component.AbstractLifeCycle: FAILED org.eclipse.jetty.server.Server@96def03: java.lang.IllegalStateException: no valid keystore
java.lang.IllegalStateException: no valid keystore
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(SourceFile:48)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SourceFile:1030)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SourceFile:255)" | rex field=_raw "^hostname=ip-(?<hostname>[^\s]+)\spath=(?<path>[^\s]+)"

In your environment you should try

<your_base_search> | rex field=_raw "^hostname=ip-(?<hostname>[^\s]+)\spath=(?<path>[^\s]+)"

let me know if this helps !

extract a string from a splunk event

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

extract a string from a splunk event

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...