Splunk Search

Extract two field into two variable from a single line of log

anilkashyap
New Member

I want to extract the PID number from the log and store in variable failedPID. i have many of this kind of message with different Application Names.

Application: MM Viewer, PID: 7988 failed
Application: Database Browser App, PID: 6788 failed
Application: CentralViewer, PID: 7978 failed

i am using

rex  "Application:  (?<failedPID>.*) failed" | dedup 1 _time | chart count by failedPID

which is giving me output as

MM Viewer, PID: 7988
Database Browser App, PID: 6788
CentralViewer, PID: 7978

my ultimate goal is to store Application name in failedApp variable and PID in failedPID avriable.

Tags (3)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @anilkashyap,

If this only applies to failed events, then try this :

| rex  field=_raw  "Application:\s(?<failedApp>.+),\sPID:\s(?<failedPID>\d+)\sfailed"

Cheers,
David

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi anilkashyap,
you can extract both the fields using one regex:

| rex "Application:\s+(?<failedApp>[^,]*),\s+PID:\s+(?<failedPID>\d*)\s+failed"

You can test it at https://regex101.com/r/piK2bJ/1

Bye.
Giuseppe

0 Karma

DavidHourani
Super Champion

Hi @anilkashyap,

If this only applies to failed events, then try this :

| rex  field=_raw  "Application:\s(?<failedApp>.+),\sPID:\s(?<failedPID>\d+)\sfailed"

Cheers,
David

0 Karma

renjith_nair
Legend

@anilkashyap

Try

|rex  "Application:\s+(?<failedApp>.+),\s+PID:\s+(?<failedPID>\d+)"
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...