Extract String using REGEX

ashishlal82 · ‎03-31-2017

I am fairly new to REGEX and need help with extracting values from the below event
22 Mar 2017 18:41:15,320 WARN SinkRunner-PollingRunner-DefaultSinkProcessor - Using default maxIOWorkers

OUTPUT
Status(field Name) - value(WARN)

woodcock · ‎03-31-2017

I use this tool:
http://www.regex101.com

Like this:

... | rex "(?<Status>\S+)\s*\["

alemarzu · ‎03-31-2017

Hi there, try with this.

^[\d\w\s:]+,\d{3}\s(?<STATUS>[A-Z]+)\s\[

OR

,\d{3}\s(?<STATUS>[A-Z]+)(?=\s\[)

adonio · ‎03-31-2017

you can use the gui field extractor
click an event -> event actions -> extract field -> regular expression -> pick WARN -> name it Status -> verify -> save

inventsekar · ‎03-31-2017

some more details please...

some example OUTPUTS please

Output shoukd be like like
"Status(field Name) - value(WARN)"
Or
"Field name - WARN"

Also what is the "field name" on this above event?

DalJeanis · ‎03-31-2017

I believe OP means he wants the value WARN pulled into the field name Status.

Extract String using REGEX

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors