Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Context based regex field extraction

shrirangphadke
Path Finder
‎06-18-2015 05:55 PM

Hi,

I am trying to extract few fields out of logs but Splunk field extraction is not working in my case.

For example:

2015-06-17 13:48:55,689 abc-field [SystemEvent] Time:'June 17, 2015 8:48:55 PM GMT',Severity:'Critical', Event Source:'domain-c0', Code:'301503', Event Message:'Failed to publish abcd configuration version 1408159473758 to cluster domain-c0. Refer logs for details', Module:'abcd something'

2015-06-17 13:48:55,620 abc-xyz-something June 17, 2015 8:48:55 PM GMT INFO SimpleAsyncTaskExecutor-1 SystemEventDaoImpl:124 - [SystemEvent] Time:'June 17, 2015 8:48:55 PM GMT',Severity:'Informational', Event Source:'edge-0', Code:'30101', Event Message:'abcd was booted', Module:'abcd something Appliance'

In above two log snippets I am trying to extract value of the field "Severity".
But since the position of field "Severity" in both the logs are different Splunk returns the field such as:
1. Critical
2. June

Probably it is because Splunk does regex parsing based on position.

I want to extract the fields based on pre-context and post-context.
For example:
Pre-context: "Severity:'"
Required value
Post-context: "', Event"

I am completely stuck here. Please help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-18-2015 06:04 PM

Assuming these are the only 2 variants, try this:

... | rex "^.*?Severity\s*:\s*'?(?<Severity>[^'\s]+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-18-2015 06:04 PM

Assuming these are the only 2 variants, try this:

... | rex "^.*?Severity\s*:\s*'?(?<Severity>[^'\s]+)"
Reply
Solved! Jump to solution

shrirangphadke
Path Finder
‎06-18-2015 06:13 PM

Thank you very much for your answer !
Now it will take me another day to understand this 😛

0 Karma
Reply
Solved! Jump to solution

shrirangphadke
Path Finder
‎06-18-2015 06:19 PM

Is there any Splunk regex tutorial which I can follow ?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-18-2015 06:23 PM

I learned by doing but that's just the way I am. So although I cannot help you much there, I can suggest some tools. My favorite is Expresso which is free. I use this almost every day. It does a good job of "translating" the RegEx to english on the right side so that when somebody gives you a solution (like I did), it will show you bit-by-bit which each part of the RegEx is doing.

0 Karma
Reply
Solved! Jump to solution

shrirangphadke
Path Finder
‎06-22-2015 01:13 PM

This is exactly what I wanted thank you very much!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...