Solved: Re: Log level extraction

sphiwee · ‎10-18-2020

here is some sample data, can someone help me with a regular expression to extract the highlighted part "status:READY_TO_PROCESS" as process status

2020-10-18 14:06:18 [bp-[507bbd99]-completeMachineRun-233466] HitService [INFO] Created typed run Run: id=233467, uuid=7653767a-5e85-409d-aa3e-69bbeac40ad0 name=Final Results {size:0, status:READY_TO_PROCESS, rootRun:7653767a-5e85-409d-aa3e-69bbeac40ad0, data:}

isoutamo · ‎10-18-2020

Hi

I expecting that there is always word status and then it’s value ending to ,. If this is not a valid expectation then this rex needs to updated.

...
| rex "(?<status>status:[^,]+)"

r. Ismo

View solution in original post

sphiwee · ‎10-18-2020

Sorry but it's pulling something totally different

isoutamo · ‎10-18-2020

Forget + from the end, did it works now?

isoutamo · ‎10-18-2020

Hi

I expecting that there is always word status and then it’s value ending to ,. If this is not a valid expectation then this rex needs to updated.

...
| rex "(?<status>status:[^,]+)"

r. Ismo

sphiwee · ‎10-18-2020

Sorry but it's pulling something totally different

inventsekar · ‎10-18-2020

Hi @sphiwee ... @isoutamo 's rex query is working fine and extracting the status msg(did you add the plus sign and the field=_raw or ur fieldname?). Please check the screenshot:

| makeresults 
| eval log="2020-10-18 14:06:18 [bp-[507bbd99]-completeMachineRun-233466] HitService [INFO] Created typed run Run: id=233467, uuid=7653767a-5e85-409d-aa3e-69bbeac40ad0 name=Final Results {size:0, status:READY_TO_PROCESS, rootRun:7653767a-5e85-409d-aa3e-69bbeac40ad0, data:}" 
| rex field=log "(?<status>status:[^,]+)" | table status

Log level extraction

configuration

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!