Field extraction: Trim each event and create a fie...

Allampally · ‎04-30-2019

Hi Experts,

I have few logs as below, i want to capture all unregistered uri (from unregistered uri text to end of the each line) and put them all in one new field. I need to exclude some text in each line of the event

12:39:25.749 AM
30-Apr-2019 00:39:25.749 INFO [Thread-532] org.apache.catalina.core.StandardService.stopInternal Stopping service [Catalina]
ApplicationRegistry- Unregistered the uri /google/page for "leaked issue"
ApplicationRegistry- Unregistered the uri /facebook/line for "closed connection"
ApplicationRegistry- Unregistered the uri /redmi/router for "open page"

13:39:25.749 AM
30-Apr-2019 00:39:25.749 INFO [Thread-652] org.apache.catalina.core.StandardService.stopInternal Stopping service [Catalina]
ApplicationRegistry- Unregistered the uri /twitter/com for "job manager"
ApplicationRegistry- Unregistered the uri /snapchat/in for "kick off"
ApplicationRegistry- Unregistered the uri /cooler/net for "inner string"

tom_frotscher · ‎05-02-2019

Hi,

not sure what you want to achieve exactly. But for your field, how about this field extraction:
your search here | rex max_match=0 "Unregistered the uri\s(?[^\n]+)"

This puts the results per event in one multi value field called "new_field". Is this what you wanted to do?

Greetings

Tom

Field extraction: Trim each event and create a field to extract only particular words

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...