Splunk Search

Can you help me extract the following fields using the rex command?

harishnpandey
Explorer

Is there any way I can extract only PersistenceLo cache cleared! and PmFinUtilityL Cache Cleared (highlighted in BOLD)

[1/24/19 14:27:33:498 EST] 00007d47 PersistenceLo I cache cleared!
[1/24/19 14:27:32:091 EST] 00005167 PersistenceLo I cache cleared!
1/24/19 0:01:55:185 EST] 000001dc PmFinUtilityL I cache cleared!
[1/23/19 23:59:59:013 EST] 000060e4 PmFinUtilityL I Cache Cleared.

I appreciate your help to frame rex query.

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

your base search | rex "^(\S+\s+){4}(?<Message>.+)"

View solution in original post

0 Karma

vinod94
Contributor

You can try this,

| makeresults 
| eval data="[1/24/19 14:27:33:498 EST] 00007d47 PersistenceLo I cache cleared!,
[1/24/19 14:27:32:091 EST] 00005167 PersistenceLo I cache cleared!,
1/24/19 0:01:55:185 EST] 000001dc PmFinUtilityL I cache cleared!,
[1/23/19 23:59:59:013 EST] 000060e4 PmFinUtilityL I Cache Cleared." 
| makemv delim="," data 
| mvexpand data 
| rename data as _raw 
| rex field=_raw "]\s\d+\w+\s(?P<field>[^?].*)"
0 Karma

somesoni2
Revered Legend

Give this a try

your base search | rex "^(\S+\s+){4}(?<Message>.+)"
0 Karma

harishnpandey
Explorer

Awesome bud. It works as expected.

Appreciate your prompt reply. Thank you

0 Karma

harishnpandey
Explorer

Hi,

Can you please explain a bit about solution

0 Karma

nickhills
Ultra Champion

What the regex statement means is:

(\S+\s+)
some characters, then a space

{4}
repeat the above 4 times

(?<Message>.+)
take all the remaining characters, and write them to a new field called 'Message'

Does that help

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...