Re: Field extraction: Trim each event and create a...

Allampally · ‎04-30-2019

Hi Experts,

I have few logs as below, i want to capture all unregistered uri (from unregistered uri text to end of the each line) and put them all in one new field. I need to exclude some text in each line of the event

12:39:25.749 AM
30-Apr-2019 00:39:25.749 INFO [Thread-532] org.apache.catalina.core.StandardService.stopInternal Stopping service [Catalina]
ApplicationRegistry- Unregistered the uri /google/page for "leaked issue"
ApplicationRegistry- Unregistered the uri /facebook/line for "closed connection"
ApplicationRegistry- Unregistered the uri /redmi/router for "open page"

13:39:25.749 AM
30-Apr-2019 00:39:25.749 INFO [Thread-652] org.apache.catalina.core.StandardService.stopInternal Stopping service [Catalina]
ApplicationRegistry- Unregistered the uri /twitter/com for "job manager"
ApplicationRegistry- Unregistered the uri /snapchat/in for "kick off"
ApplicationRegistry- Unregistered the uri /cooler/net for "inner string"

tom_frotscher · ‎05-02-2019

Hi,

not sure what you want to achieve exactly. But for your field, how about this field extraction:
your search here | rex max_match=0 "Unregistered the uri\s(?[^\n]+)"

This puts the results per event in one multi value field called "new_field". Is this what you wanted to do?

Greetings

Tom

Field extraction: Trim each event and create a field to extract only particular words

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Field extraction: Trim each event and create a field to extract only particular words

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!