- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help to write regex.
data:image/s3,"s3://crabby-images/cbecf/cbecfd9eca7945b22da84ebd3a95a10c6bdd1ddf" alt="vaibhavbharadwa vaibhavbharadwa"
I have 2 sets of logs. I am supposed to extract the content between the last 2 '#' among the below logs.
Please help.
<12>Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#
<12>Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #
information which is written in Bold needs to be extracted into a field called as 'message'
I tried with the following regex :
(?(field_name_with_angular_brackets)User..\s.)
Please let me know how to do this.
Also please let me know how to combine regex of 2 fields into a single field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1d63d/1d63d9e209089b4fded86e408b5b7418506e5ca0" alt="jpolvino jpolvino"
Another option with just 1 step:
(your search) | rex "#\s(?!.*# )(?<message>[^#]+)#$"
Then if you want to create a new field from two others, just use a period between them.
...
| eval f1="abc"
| eval f2="123"
| eval f3=f1.f2
| eval f4=f1."_".f2
So f3 will be abc123 and f4 will be abc_123
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/9dd94/9dd94b2e112752e754d596f78e5ce328b89fc899" alt="woodcock woodcock"
Like this:
| makeresults
| eval raw="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#:::Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "#\s*(?<message>[^#]+)\s*#\s*$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/84409/84409e2355823fcb58fa07365f135e3bd0631435" alt="niketn niketn"
@vaibhavbharadwaj try the following regular expression
| rex "\#\s*(?<message>[^\#]+)\s*#$"
Following is a run anywhere example based on the sample data provided. Please try out and confirm!
| makeresults
| fields - _time
| eval data="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#;Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| rex "\#\s*(?<message>[^\#]+)\s*#$"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/8e35b/8e35bfdebbd6e8ce73ff7559a98e0f19c1121ead" alt="mydog8it mydog8it"
Do you have access to the search heads to modify the transforms and props.conf files?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/deed8/deed899cd3abc5afa165b85ea71ef8ff2d3fb2af" alt="saurabhkharkar saurabhkharkar"
| makeresults
|eval string="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#"
| rex mode=sed field=string "s/\#*$//"
| rex field=string "(?<message>[^\#]*$)"
| table string message
Explanation :
| rex mode=sed field=string "s/\#*$//" -> replaces the last # with nothing
| rex field=string "(?<message>[^\#]*$)" -> captures everything after the last # and dumps it in a new field 'message'
data:image/s3,"s3://crabby-images/5d9f8/5d9f80c54160124d38856b77a799077db7d57026" alt=""