Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ESA field extraction using regex!

kiran331
Builder
‎06-12-2017 12:23 PM

Hi

How to extract the field for the below sample ESA logs.

Sun Jun 11 17:33:36 2017 Info: Double bounce: MID 112011 to 0 - 5.1.2 - Bad destination host 'DNS Hard Error looking up abc.com (MX): KKDOMAIN'

Sun Jun 11 10:30:23 2017 Info: Double bounce: MID 221212 to 0 - 5.4.7 - Delivery expired (message too old) [Default] 451-'Open is not allowed please check'

I need the

field1="Bad destination host" & "Delivery expired (message too old) "

field2="'DNS Hard Error looking up abc.com (MX): KKDOMAIN" & "Open is not allowed please check"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎06-12-2017 01:01 PM

Hi kiran331,

based on the provided examples and based on my assumption that field1 always has the MID 112011 and field2 has the MID 221212 you can use this regex:

 MID\s\d+\sto\s\d\s-\s5\.1\.2\s-\s(?<field1>[^\r\n]+)|MID\s\d+\sto\s\d\s-\s5\.4\.7\s-\s(?<field2>[^\r\n]+)

Hope this helps ...

cheers, MuS

Updated after comment ...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎06-12-2017 01:01 PM

Hi kiran331,

based on the provided examples and based on my assumption that field1 always has the MID 112011 and field2 has the MID 221212 you can use this regex:

 MID\s\d+\sto\s\d\s-\s5\.1\.2\s-\s(?<field1>[^\r\n]+)|MID\s\d+\sto\s\d\s-\s5\.4\.7\s-\s(?<field2>[^\r\n]+)

Hope this helps ...

cheers, MuS

Updated after comment ...

0 Karma
Reply
Solved! Jump to solution

kiran331
Builder
‎06-12-2017 01:14 PM

MID will be different for each events, is there a way to get the field values after 5.1.2 - OR 5.4.7-

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎06-12-2017 01:21 PM

sure, see my updated answer 😉

0 Karma
Reply
Solved! Jump to solution

kiran331
Builder
‎06-12-2017 01:54 PM

HI Mus, Thanks for the solution. Is there a way to update this for all values not only 5.1.2 Or 5.4.7, it has different values.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎06-12-2017 02:00 PM

If you want to have them all in the same field name, Yes. Otherwise you would have to use different field names and therefore different regex's for each 5.1.2 or 5.4.7 like number. So for example for matches into one field name you can use this:

 MID\s\d+\sto\s\d+\s-\s\d\.\d\.\d\s-\s(?<field>[^\r\n]+)
0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎06-12-2017 02:04 PM

or you use props.conf and transforms.conf like this:

props.conf

[mySourceType]
REPORT-myDynamicFieldName = myDynamicFieldName

transforms.conf

[myDynamicFieldName]
REGEX  = MID\s\d+\sto\s\d+\s-\s(\d\.\d\.\d)\s-\s([^\r\n]+)
FORMAT = fieldname_$1::$2

This will create a dynamic field name like fieldname_5.1.2 or fieldname_5.4.7 in search time ...
Maybe this helps?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...