Hi there,
I'm trying so hard to do a new field in Splunk, but i don't know where i do "wrongs".
I would like to extract "Log Closed" or just "Log" from event, but when i do, i get all kind of other results other than what i want.
I tried with extract and require.
On the extract end i get a mixed variety of results, most of them with no relation to what i look for.
On the require end, when i select all correct lines, i cannot press Next button as it is grayed out. And i have no other clue what to do next.
My question is: What path should i take to get "Log Closed" or just "Log" from the event "2021-11-18 02:19:04.291 - Thread: 1 -> Log Closed" to make a new field. I would like to make a new Field as i have a "Log Started" and a "Log Closed".
I tried even too look at the regex, but i understand none of it, exept i know that \n is new line.
The regex is: ^[^>\n]*>\s+(?P<LogClosed>\w+\s+\w+)
Thank you.
Use regex101.com to test the regex - it gives you a breakdown of what the regex means
In your case, if you simply want a field called LogClosed with the value "Log Closed" in and you are not interested in any other string, you could simply use this regex
(?P<LogClosed>Log Closed)
Thank you very much @ITWhisperer.
Why is not showing this when checking the regex, but instead is showing me some mambo jumbo?
Also, how do i add "Log Started" to this (?P<LogClosed>Log Closed).
I tried something like this (?P<Log>Log Started)|(Log Closed) but i get only the "Log Started".
What i want in the end is to make a pivot of time when "event" occurred and "Log Started" "Log Closed", and get a list of "Log Started" "Log Closed" listed by time ... if it makes sense to you what i want to describe.
So having 2 fields, one called "Log Started" and the other "Log Closed", i don't think is going to work. In my head i get a reference of windows logs where there are codes for various events. And that "code" have multiple numbers, but if i tell splunk what code should look for, works like a charm.
Anyway ... I hope i was clear enough to understand and i look forward for your reply.
(?P<Log>Log (Started|Closed))
Hi @ITWhisperer ,
Where or how do you learn this stuff?
I mean, i know there is info out there somewhere, but how do you put things together, or how do they say connect the dots.
I'm asking because even if i tried to use regex101.com, was not that obvious choise to use this form.
Anyway ... Thank you so much.
Where do i send beer? :))
regex101.com is a great resource - trial and error goes a long way for learning this stuff - you can probably find other resources too, https://www.regular-expressions.info/ has a pretty comprehensive tutorial for example.