Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rex to extract particular field

harishnpandey
Explorer
‎07-24-2017 01:43 PM

Hi ,

I have below string and need to extract field after HCM5250: and before .
Also, while doing search need to consider 65.
Both response Code and responseMessage written on separate lines

65
updateContractTxnAccount Failed - update HCM5250:AD1218494460121708

For e.g:

index=mylog "65" AND "updateContractTxnAccount Failed - update HCM5250:" |rex

Not sure how to get exact rex here . Appreciate your help !!

Thanks ,

Harish

Tags (1)
0 Karma
Reply

harishnpandey
Explorer
‎07-25-2017 06:29 AM

Below is my exact input stings out of which I need to extract only "AD1218494460121708" which is txn account number..All transaction a/c I need to extract from log

0 Karma
Reply

bheemireddi
Communicator
‎07-25-2017 07:22 AM

harishnpandey,

Did you mean to post the actual sample event?

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎07-24-2017 03:31 PM

If your event will have HCM5250 always, then:

rex "<responseCode>(?P<responseCode>\d+)[\s\S]+HCM5250:(?P<responseMessage>[^<]+)<"

or

rex "<responseCode>(?P<responseCode>\d+)[\s\S]+HCM5250:(?P<responseMessage>\w+)<"

Given the data as shown, either of these should work. If your data for the message is more generic, but you want the : to the end of the XML field, then try:

rex "<responseCode>(?P<responseCode>\d+)[\s\S]+<responseMessage>[^<]*?:(?P<responseMessage>[^<]+)<"
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎07-25-2017 07:44 AM

Here is the rex you need if you only need the last part of the responseMessage:

rex "<responseMessage>[^<]*?:(?P<fieldToBeExtracted_callMeWhatYouWant>[^<]+)<"

That should extract everything from after the colon (:) on to the end of the field.

0 Karma
Reply

harishnpandey
Explorer
‎07-24-2017 02:01 PM 
 <responseCode>65</responseCode>
  <responseMessage>updateContractTxnAccount Failed - update HCM5250:AD1218494460121708</responseMessage>
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎07-24-2017 03:12 PM

Is this an actual sample event you pasted here?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...