Splunk Search

Extract multiple unmapped fields using Regex

Path Finder

Hi,

I have the following log from which I need to extract 2 fields:

 

[INFO ] 2020-11-16 20:52:30,729 (http-nio-8085-exec-127) [MyServiceImpl(emailServ:6431)] [my email@yahoo.com] [4223TD-E3DE-2345-8E59-1-YDHGC]   Validation failed.Invalid. Response JSON {"emailAddress":"mynewemail","statusReason":"failed_syntax_check","domain":"","processedAt":"2020-11-16 20:52:30 GMT-0700 (MST)","cache":false,"account":"","status":"invalid"}

 


I need to show the below values as 2 different fields in a table:

  • my email@yahoo.com as Email1
  • mynewemail as Email2

Was not able to fetch Email1 field. Tried to fetch the Email2 field as below. But that didnt work either.

 

^(?:[^<\n]*<){2}\s+"\{"\w+":"(?P<emailAddress>[^"]+)

 

 

Please extend your help.

Labels (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi @Nidd,

sorry: I forgot a slice of my regex:

| rex "\]\s+\[(?<email1>[^\@]+\@[^\@]+)\]\s+\[.*emailAddress\":\"(?<email2>[^\"]+)"

that you can test at https://regex101.com/r/ZLI9NN/2

Ciao.

Giuseppe 

View solution in original post

Builder
| rex "(\[[^\[]+){2}\[(?<email1>[^\]]+).*emailAddress\":\"(?<email2>[^\"]+)"

SplunkTrust
SplunkTrust

Hi @Nidd, try this:

 

| rex "\[(?<email1>[^\@]+\@[^\@]+)\]\s+\[.*emailAddress\":\"(?<email2>[^\"]+)"

that you can test at https://regex101.com/r/ZLI9NN/1

Ciao.

Giuseppe

0 Karma

Path Finder

Thank you @gcusello for the reply.

When trying to bring these fields in a table, the email2 field was perfect. But the email1 field came out like:

[INFO ] 2020-11-16 20:52:30,729 (http-nio-8085-exec-127) [MyServiceImpl(emailServ:6431)] [my email@yahoo.com

 

0 Karma

SplunkTrust
SplunkTrust

Hi @Nidd,

sorry: I forgot a slice of my regex:

| rex "\]\s+\[(?<email1>[^\@]+\@[^\@]+)\]\s+\[.*emailAddress\":\"(?<email2>[^\"]+)"

that you can test at https://regex101.com/r/ZLI9NN/2

Ciao.

Giuseppe 

View solution in original post

Path Finder

Thank you very much @gcusello . That worked !!!

0 Karma