Extract fields using colon (:) except time field

richnavis · ‎01-18-2018

Hello,
I'm trying to use the field extraction tool for a data file that where the fields are delineated by a colon(:). However, the time fields ALSO contains a colon, so it doesn't extract this field correctly. Any thoughts on how to work around this? Sample Event Below

INFO : LM_36488 [Thu Jan 18 17:00:18 2018] : (11616|15356) Session task instance [Big_Data_Job] : [TM_6721 Started [Fetch Session from Repository].]

Predictably, this gets broken out like this
INFO
LM_36488 Thu Jan 18 17
00
18 2018 Session task instance [Big_Data_Job]
[TM_6721 Started [Fetch Session from Repository].]

horsefez · ‎01-22-2018

@richnavis, any success with trying out the suggested solutions yet?

mayurr98 · ‎01-19-2018

hey try this run anywhere search

| makeresults | eval _raw="INFO : LM_36488 [Thu Jan 18 17:00:18 2018] : (11616|15356) Session task instance [Big_Data_Job] : [TM_6721 Started [Fetch Session from Repository].]" | rex field=_raw "^(?<field1>[^\:]+)\s:\s(?<field2>[^\]]+])\s:\s(?<field3>[^\]]+])\s:\s(?<field4>.*)"

In your environment you should write

<your_base_search> |rex field=_raw "^(?<field1>[^\:]+)\s:\s(?<field2>[^\]]+])\s:\s(?<field3>[^\]]+])\s:\s(?<field4>.*)"

let me know if this helps!

horsefez · ‎01-19-2018

Hey richnavis,

when you do field extractions do "regular expressions" instead of "delimeters".
Then click "write your regular expression yourself" and paste this regex in:
(?<field1>[^\:]+)\s+?\:\s+?(?<field2>[^\[]+)\s+?\[(?<date>[^\]]+)\]\s+?\:\s+?(?<field4>[^\:]+)\s+?\:\s+?(?<field5>[^$]+)

substitute the "fieldX" values with the names your actual fields should have

Cheers!

https://regex101.com/r/ghD0XE/2

Extract fields using colon (:) except time field

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience