Extract String using REGEX

ashishlal82 · ‎03-31-2017

I am fairly new to REGEX and need help with extracting values from the below event
22 Mar 2017 18:41:15,320 WARN SinkRunner-PollingRunner-DefaultSinkProcessor - Using default maxIOWorkers

OUTPUT
Status(field Name) - value(WARN)

woodcock · ‎03-31-2017

I use this tool:
http://www.regex101.com

Like this:

... | rex "(?<Status>\S+)\s*\["

alemarzu · ‎03-31-2017

Hi there, try with this.

^[\d\w\s:]+,\d{3}\s(?<STATUS>[A-Z]+)\s\[

OR

,\d{3}\s(?<STATUS>[A-Z]+)(?=\s\[)

adonio · ‎03-31-2017

you can use the gui field extractor
click an event -> event actions -> extract field -> regular expression -> pick WARN -> name it Status -> verify -> save

inventsekar · ‎03-31-2017

some more details please...

some example OUTPUTS please

Output shoukd be like like
"Status(field Name) - value(WARN)"
Or
"Field name - WARN"

Also what is the "field name" on this above event?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

DalJeanis · ‎03-31-2017

I believe OP means he wants the value WARN pulled into the field name Status.

Extract String using REGEX

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

Extract String using REGEX

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2