Solved: Extract raw data using rex

ninadmnaik · ‎09-19-2012

I want to extract exception, key and message from a raw event in our logs. The event looks like:

EXCEPTION - : TypeOfException : keyprefix.keyName : Message from web service

From the event I use REX to get the following:

exception=TypeOfException
key=keyprefix.keyName
message=Message from web service

I am using the following rex for it:

rex field=_raw "EXCEPTION - : (?\w+) : (?\w+) : (?\w+)"

But this isn't working. Can you guys point me in the right direction?
I have tried various combinations of these inserting spaces (\s) where we see spaces in the event.

ninadmnaik · ‎09-19-2012

Ok. Found the answer:
rex field=_raw "EXCEPTION\s-\s\s:(?[\s\w]+): (?\w+.\w+) : (?[\w\s]+)"

View solution in original post

ninadmnaik · ‎09-19-2012

Ok. Found the answer:
rex field=_raw "EXCEPTION\s-\s\s:(?[\s\w]+): (?\w+.\w+) : (?[\w\s]+)"

Extract raw data using rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation