Splunk Search

Can you help me extract the following fields using the rex command?

harishnpandey
Explorer

Is there any way I can extract only PersistenceLo cache cleared! and PmFinUtilityL Cache Cleared (highlighted in BOLD)

[1/24/19 14:27:33:498 EST] 00007d47 PersistenceLo I cache cleared!
[1/24/19 14:27:32:091 EST] 00005167 PersistenceLo I cache cleared!
1/24/19 0:01:55:185 EST] 000001dc PmFinUtilityL I cache cleared!
[1/23/19 23:59:59:013 EST] 000060e4 PmFinUtilityL I Cache Cleared.

I appreciate your help to frame rex query.

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

your base search | rex "^(\S+\s+){4}(?<Message>.+)"

View solution in original post

0 Karma

vinod94
Contributor

You can try this,

| makeresults 
| eval data="[1/24/19 14:27:33:498 EST] 00007d47 PersistenceLo I cache cleared!,
[1/24/19 14:27:32:091 EST] 00005167 PersistenceLo I cache cleared!,
1/24/19 0:01:55:185 EST] 000001dc PmFinUtilityL I cache cleared!,
[1/23/19 23:59:59:013 EST] 000060e4 PmFinUtilityL I Cache Cleared." 
| makemv delim="," data 
| mvexpand data 
| rename data as _raw 
| rex field=_raw "]\s\d+\w+\s(?P<field>[^?].*)"
0 Karma

somesoni2
Revered Legend

Give this a try

your base search | rex "^(\S+\s+){4}(?<Message>.+)"
0 Karma

harishnpandey
Explorer

Awesome bud. It works as expected.

Appreciate your prompt reply. Thank you

0 Karma

harishnpandey
Explorer

Hi,

Can you please explain a bit about solution

0 Karma

nickhills
Ultra Champion

What the regex statement means is:

(\S+\s+)
some characters, then a space

{4}
repeat the above 4 times

(?<Message>.+)
take all the remaining characters, and write them to a new field called 'Message'

Does that help

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...