Solved: Extract raw data using rex

ninadmnaik · ‎09-19-2012

I want to extract exception, key and message from a raw event in our logs. The event looks like:

EXCEPTION - : TypeOfException : keyprefix.keyName : Message from web service

From the event I use REX to get the following:

exception=TypeOfException
key=keyprefix.keyName
message=Message from web service

I am using the following rex for it:

rex field=_raw "EXCEPTION - : (?\w+) : (?\w+) : (?\w+)"

But this isn't working. Can you guys point me in the right direction?
I have tried various combinations of these inserting spaces (\s) where we see spaces in the event.

ninadmnaik · ‎09-19-2012

Ok. Found the answer:
rex field=_raw "EXCEPTION\s-\s\s:(?[\s\w]+): (?\w+.\w+) : (?[\w\s]+)"

View solution in original post

ninadmnaik · ‎09-19-2012

Ok. Found the answer:
rex field=_raw "EXCEPTION\s-\s\s:(?[\s\w]+): (?\w+.\w+) : (?[\w\s]+)"

Extract raw data using rex

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Extract raw data using rex

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...