Solved: Fields Extraction using RegEx

syazwani · ‎09-23-2021

Hi, i want to extract bytes fields (using the bytes values) from this:

Sep 23 14:11:52 XXX.XXX.X.XX date=2021-09-23 time=14:11:52.004 device_id=FE-3KET123 log_id=6716781232 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id="47K0CjSc111111-47K0CjSc111111" msg="to=<XXXXXXXX@hotmail.com>, delay=00:00:04, xdelay=00:00:04, mailer=esmtp, pri=61772, relay=hotmail-com.olc.protection.outlook.com. [XXX.XX.XX.XXX], dsn=2.0.0, stat=Sent (<d97263bhagstbhbhet7c01f54636vfd37@GGP0HSDVVHHA9.XXX.XXX.XXX> [InternalId=32836723661134, Hostname=XXXXXXXXXX.namXXXX.prod.outlook.com] 71422 bytes in 0.303, 229.746 KB/sec Queued mail for delivery -> 250 2.1.5)"

I've already found the regex - (?<bxmt>\d+) bytes
But it didnt seem to work fine.
Can anyone help?

ashvinpandey · ‎09-24-2021

@syazwani Try using the below rex:

| rex field=_raw "InternalId.*\]\s(?<bxmt>\d+?)\sbytes"

Also, If this reply helps you, an upvote would be appreciated.

View solution in original post

ashvinpandey · ‎09-24-2021

@syazwani Try using the below rex:

| rex field=_raw "InternalId.*\]\s(?<bxmt>\d+?)\sbytes"

Also, If this reply helps you, an upvote would be appreciated.

ITWhisperer · ‎09-23-2021

It looks OK - how are you using it?

You could try using \s instead of spaces

\s(?<bxmt>\d+)\sbytes

Fields Extraction using RegEx

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation