Splunk Search

Can you help me extract the following fields using the rex command?

harishnpandey
Explorer

Is there any way I can extract only PersistenceLo cache cleared! and PmFinUtilityL Cache Cleared (highlighted in BOLD)

[1/24/19 14:27:33:498 EST] 00007d47 PersistenceLo I cache cleared!
[1/24/19 14:27:32:091 EST] 00005167 PersistenceLo I cache cleared!
1/24/19 0:01:55:185 EST] 000001dc PmFinUtilityL I cache cleared!
[1/23/19 23:59:59:013 EST] 000060e4 PmFinUtilityL I Cache Cleared.

I appreciate your help to frame rex query.

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

your base search | rex "^(\S+\s+){4}(?<Message>.+)"

View solution in original post

0 Karma

vinod94
Contributor

You can try this,

| makeresults 
| eval data="[1/24/19 14:27:33:498 EST] 00007d47 PersistenceLo I cache cleared!,
[1/24/19 14:27:32:091 EST] 00005167 PersistenceLo I cache cleared!,
1/24/19 0:01:55:185 EST] 000001dc PmFinUtilityL I cache cleared!,
[1/23/19 23:59:59:013 EST] 000060e4 PmFinUtilityL I Cache Cleared." 
| makemv delim="," data 
| mvexpand data 
| rename data as _raw 
| rex field=_raw "]\s\d+\w+\s(?P<field>[^?].*)"
0 Karma

somesoni2
Revered Legend

Give this a try

your base search | rex "^(\S+\s+){4}(?<Message>.+)"
0 Karma

harishnpandey
Explorer

Awesome bud. It works as expected.

Appreciate your prompt reply. Thank you

0 Karma

harishnpandey
Explorer

Hi,

Can you please explain a bit about solution

0 Karma

nickhills
Ultra Champion

What the regex statement means is:

(\S+\s+)
some characters, then a space

{4}
repeat the above 4 times

(?<Message>.+)
take all the remaining characters, and write them to a new field called 'Message'

Does that help

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...