Field extraction using rex

ChhayaV · ‎08-12-2013

Hi,

I have a field called message and now i'm trying to extract a ErrorIdentifier from that message field.
Below is the sample log entries of sharepoint:

7/8/13 8:49:34.360 AM 07/08/2013 08:49:34.36 w3wp.exe (0x0AD8) 0x698C SharePoint Foundation General 8e2s Medium Unknown SPRequest error occurred. More information: 0x80070005 880cf2d3-7093-4a52-94dc-4261ccdbf2aa 7/8/13 8:27:26.670 AM 07/08/2013 08:27:26.67 w3wp.exe (0x0AD8) 0x9404 SharePoint Foundation General 8e2s Medium Unknown SPRequest error occurred. More information: 0x80070002 7/8/13 10:12:04.460 AM 07/08/2013 10:12:04.46 w3wp.exe (0x0AD8) 0x4CB4 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:https://www.myvantageconnect.co.in:443/_LAYOUTS/ClientPortal/SilverlightWebParts/PROD/System.ComponentModel.Composition.zip)). Execution Time=34.7719304398

Here i just want extract a patterns "0x80070005" from message field.
I tried with this regex :

host="sharepoint" | rex field=msg "(?i) .*?: (?P<FieldIdentifier>\d+\w+)(?=\t)" | table ErrorIdentifier

If i do so it's not extracting the desirable output.

Note: The pattern always followed by the word "More information:" in a message field.
So please help regarding this.

Thank you

kristian_kolb · ‎08-12-2013

Try this;

host=sharepoint | rex "\sMore\sinformation:\s(?<my_err_code>[\dxA-F]+)" | table my_err_code

You can skip the A-F in the character class if only numbers and 'x' are valid.

/K

Field extraction using rex

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

Field extraction using rex

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0