Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Extract a field using Regex

sanjay_shrestha
Contributor
‎05-13-2013 12:22 PM

Hi,

I have following output from a log file.

 

(5/1/13 - 1:36:05.01 PM)    Event   LOAD 1 Setup

(5/1/13 - 1:36:08.01 PM)    Event   LOAD 2 Setup

(5/1/13 - 1:37:07.37 PM)    Event   LOAD 1 Process

(5/1/13 - 1:37:17.37 PM)    Event   LOAD 3 Process

(5/1/13 - 1:38:07.39 PM)    Event   LOAD 1 Complete

(5/1/13 - 1:38:15.01 PM)    Event   LOAD 3 Setup

(5/1/13 - 1:38:17.39 PM)    Event   LOAD 2 Complete

(5/1/13 - 1:39:07.42 PM)    Event   READ 1 Setup

(5/1/13 - 1:39:17.37 PM)    Event   LOAD 3 Process

(5/1/13 - 1:39:27.39 PM)    Event   LOAD 3 Complete

(5/1/13 - 1:39:37.42 PM)    Event   READ 2 Setup

(5/1/13 - 1:39:57.42 PM)    Event   READ 3 Setup

(5/1/13 - 1:40:07.45 PM)    Info    READ 1 Process

(5/1/13 - 1:41:07.47 PM)    Error   READ 1 Complete

(5/1/13 - 1:41:17.45 PM)    Info    READ 2 Process

(5/1/13 - 1:41:27.45 PM)    Info    READ 3 Process

(5/1/13 - 1:41:57.47 PM)    Error   READ 2 Complete

(5/1/13 - 1:42:07.47 PM)    Error   READ 3 Complete

I need to extract a field "WorkID", so I used following REGEX



 rex field=_raw "LOAD (?\d+)|READ (?\d+)"

and got error message "Regex: two named subpatterns have the same name"

If I change the WorkID field to WorkID1 and WorkID2, it works but not sure how to consolidate these 2 fields.

Later I will be using "Transaction" to get following output:



Start Time                    End Time                       WorkId 

(5/1/13 - 1:36:05.01 PM)    (5/1/13 - 1:41:07.47 PM)                1

(5/1/13 - 1:36:08.01 PM)    (5/1/13 - 1:41:57.47 PM)                2

(5/1/13 - 1:38:15.01 PM)    (5/1/13 - 1:42:07.47 PM)                3

What would be best ( practice) implementation for this issue?

Thanks!!!!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wpreston
Motivator
‎05-13-2013 12:35 PM

If you rework your RegEx a little bit, you should be able to get the field extraction. Try this out:

rex field=_raw "(LOAD|READ)\s(?<workid>\d+)"

View solution in original post

Reply
Solved! Jump to solution

sanjay_shrestha
Contributor
‎05-13-2013 02:27 PM

Thanks to wpreston and sdaniels. Both solutions worked!!!!

0 Karma
Reply
Solved! Jump to solution
Solution

wpreston
Motivator
‎05-13-2013 12:35 PM

If you rework your RegEx a little bit, you should be able to get the field extraction. Try this out:

rex field=_raw "(LOAD|READ)\s(?<workid>\d+)"

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎05-13-2013 12:32 PM

I think this comes down to a better regex. This is an example that will match just the workid number you are looking for or you could change your 'OR' on the word match as well. A lookbehind assertion on a 4 letter word that is all caps plus the space.

(?<=[A-Z]{4}\s)\d

Rex would be something like this:

rex field=_raw "(?<=[A-Z]{4}\s)(?<workid>\d+)"
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...