Extract String using REGEX

ashishlal82 · ‎03-31-2017

I am fairly new to REGEX and need help with extracting values from the below event
22 Mar 2017 18:41:15,320 WARN SinkRunner-PollingRunner-DefaultSinkProcessor - Using default maxIOWorkers

OUTPUT
Status(field Name) - value(WARN)

woodcock · ‎03-31-2017

I use this tool:
http://www.regex101.com

Like this:

... | rex "(?<Status>\S+)\s*\["

alemarzu · ‎03-31-2017

Hi there, try with this.

^[\d\w\s:]+,\d{3}\s(?<STATUS>[A-Z]+)\s\[

OR

,\d{3}\s(?<STATUS>[A-Z]+)(?=\s\[)

adonio · ‎03-31-2017

you can use the gui field extractor
click an event -> event actions -> extract field -> regular expression -> pick WARN -> name it Status -> verify -> save

inventsekar · ‎03-31-2017

some more details please...

some example OUTPUTS please

Output shoukd be like like
"Status(field Name) - value(WARN)"
Or
"Field name - WARN"

Also what is the "field name" on this above event?

DalJeanis · ‎03-31-2017

I believe OP means he wants the value WARN pulled into the field name Status.

Extract String using REGEX

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation

Extract String using REGEX

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud