Extract String using REGEX

ashishlal82 · ‎03-31-2017

I am fairly new to REGEX and need help with extracting values from the below event
22 Mar 2017 18:41:15,320 WARN SinkRunner-PollingRunner-DefaultSinkProcessor - Using default maxIOWorkers

OUTPUT
Status(field Name) - value(WARN)

woodcock · ‎03-31-2017

I use this tool:
http://www.regex101.com

Like this:

... | rex "(?<Status>\S+)\s*\["

alemarzu · ‎03-31-2017

Hi there, try with this.

^[\d\w\s:]+,\d{3}\s(?<STATUS>[A-Z]+)\s\[

OR

,\d{3}\s(?<STATUS>[A-Z]+)(?=\s\[)

adonio · ‎03-31-2017

you can use the gui field extractor
click an event -> event actions -> extract field -> regular expression -> pick WARN -> name it Status -> verify -> save

inventsekar · ‎03-31-2017

some more details please...

some example OUTPUTS please

Output shoukd be like like
"Status(field Name) - value(WARN)"
Or
"Field name - WARN"

Also what is the "field name" on this above event?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

DalJeanis · ‎03-31-2017

I believe OP means he wants the value WARN pulled into the field name Status.

Extract String using REGEX

The All New Performance Insights for Splunk

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?

Extract String using REGEX

The All New Performance Insights for Splunk

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...