Extract String using REGEX

ashishlal82 · ‎03-31-2017

I am fairly new to REGEX and need help with extracting values from the below event
22 Mar 2017 18:41:15,320 WARN SinkRunner-PollingRunner-DefaultSinkProcessor - Using default maxIOWorkers

OUTPUT
Status(field Name) - value(WARN)

woodcock · ‎03-31-2017

I use this tool:
http://www.regex101.com

Like this:

... | rex "(?<Status>\S+)\s*\["

alemarzu · ‎03-31-2017

Hi there, try with this.

^[\d\w\s:]+,\d{3}\s(?<STATUS>[A-Z]+)\s\[

OR

,\d{3}\s(?<STATUS>[A-Z]+)(?=\s\[)

adonio · ‎03-31-2017

you can use the gui field extractor
click an event -> event actions -> extract field -> regular expression -> pick WARN -> name it Status -> verify -> save

inventsekar · ‎03-31-2017

some more details please...

some example OUTPUTS please

Output shoukd be like like
"Status(field Name) - value(WARN)"
Or
"Field name - WARN"

Also what is the "field name" on this above event?

DalJeanis · ‎03-31-2017

I believe OP means he wants the value WARN pulled into the field name Status.

Extract String using REGEX

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation

Extract String using REGEX

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!