Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract a field using Regex

sanjay_shrestha
Contributor
‎05-13-2013 12:22 PM

Hi,

I have following output from a log file.

 

(5/1/13 - 1:36:05.01 PM)    Event   LOAD 1 Setup

(5/1/13 - 1:36:08.01 PM)    Event   LOAD 2 Setup

(5/1/13 - 1:37:07.37 PM)    Event   LOAD 1 Process

(5/1/13 - 1:37:17.37 PM)    Event   LOAD 3 Process

(5/1/13 - 1:38:07.39 PM)    Event   LOAD 1 Complete

(5/1/13 - 1:38:15.01 PM)    Event   LOAD 3 Setup

(5/1/13 - 1:38:17.39 PM)    Event   LOAD 2 Complete

(5/1/13 - 1:39:07.42 PM)    Event   READ 1 Setup

(5/1/13 - 1:39:17.37 PM)    Event   LOAD 3 Process

(5/1/13 - 1:39:27.39 PM)    Event   LOAD 3 Complete

(5/1/13 - 1:39:37.42 PM)    Event   READ 2 Setup

(5/1/13 - 1:39:57.42 PM)    Event   READ 3 Setup

(5/1/13 - 1:40:07.45 PM)    Info    READ 1 Process

(5/1/13 - 1:41:07.47 PM)    Error   READ 1 Complete

(5/1/13 - 1:41:17.45 PM)    Info    READ 2 Process

(5/1/13 - 1:41:27.45 PM)    Info    READ 3 Process

(5/1/13 - 1:41:57.47 PM)    Error   READ 2 Complete

(5/1/13 - 1:42:07.47 PM)    Error   READ 3 Complete

I need to extract a field "WorkID", so I used following REGEX



 rex field=_raw "LOAD (?\d+)|READ (?\d+)"

and got error message "Regex: two named subpatterns have the same name"

If I change the WorkID field to WorkID1 and WorkID2, it works but not sure how to consolidate these 2 fields.

Later I will be using "Transaction" to get following output:



Start Time                    End Time                       WorkId 

(5/1/13 - 1:36:05.01 PM)    (5/1/13 - 1:41:07.47 PM)                1

(5/1/13 - 1:36:08.01 PM)    (5/1/13 - 1:41:57.47 PM)                2

(5/1/13 - 1:38:15.01 PM)    (5/1/13 - 1:42:07.47 PM)                3

What would be best ( practice) implementation for this issue?

Thanks!!!!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wpreston
Motivator
‎05-13-2013 12:35 PM

If you rework your RegEx a little bit, you should be able to get the field extraction. Try this out:

rex field=_raw "(LOAD|READ)\s(?<workid>\d+)"

View solution in original post

Reply
Solved! Jump to solution

sanjay_shrestha
Contributor
‎05-13-2013 02:27 PM

Thanks to wpreston and sdaniels. Both solutions worked!!!!

0 Karma
Reply
Solved! Jump to solution
Solution

wpreston
Motivator
‎05-13-2013 12:35 PM

If you rework your RegEx a little bit, you should be able to get the field extraction. Try this out:

rex field=_raw "(LOAD|READ)\s(?<workid>\d+)"

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎05-13-2013 12:32 PM

I think this comes down to a better regex. This is an example that will match just the workid number you are looking for or you could change your 'OR' on the word match as well. A lookbehind assertion on a 4 letter word that is all caps plus the space.

(?<=[A-Z]{4}\s)\d

Rex would be something like this:

rex field=_raw "(?<=[A-Z]{4}\s)(?<workid>\d+)"
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...