Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Formatting Log Name with Regex

JibBgh
New Member
‎08-03-2016 07:09 AM

Hello. I am currently trying to do something with a list of logs that I have been given.

All of the logs have the same format:

/this/is/.../an_example_relevantInformationHere.2016-08-03.log

What I want to do is to use regex to search through the strings and to find the part that says relevantInformationHere and create a table with that as the header. Right now my rex looks like:

..|rex "an_example_(?\w+)."| table parameterName

It looks like it worked in the regex testers that I used, but I am not receiving the expected output in splunk. What am I doing wrong and is there a difference between the splunk regex and the regex on another site?

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-03-2016 07:46 AM

Try this

... | rex field=_raw "_\w+_(?<parameterName>\w+)\." | table parameterName

View solution in original post

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎08-03-2016 08:46 AM

Assuming you are talking about the source field give this a go:

| rex field=source "(?<parameterName>[a-zA-Z]+)\.\d{4}-\d{2}-\d{2}\.\w+"

Keep in mind you can play with the following bit [a-zA-Z]+ to accept whatever symbols you might expect in your relevant information section. Also remember \w+ includes underscores.

Hope that helps

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-03-2016 07:46 AM

Try this

... | rex field=_raw "_\w+_(?<parameterName>\w+)\." | table parameterName
0 Karma
Reply
Solved! Jump to solution

JibBgh
New Member
‎08-03-2016 07:58 AM

When I tried that, it ended up putting the raw string parameterName instead of the actual value it should be.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-03-2016 08:42 AM

I just test this run anywhere sample and it works. Can you test this and let me know the results

| makeresults | eval x="/this/is/.../an_example_relevantInformationHere.2016-08-03.log" | rex field=x "_\w+_(?<parameterName>\w+)\." | table parameterName
0 Karma
Reply
Solved! Jump to solution

JibBgh
New Member
‎08-03-2016 11:30 AM

That worked properly, however, will this work properly without hard coding the name?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-03-2016 11:38 AM

Is the name of the file. As in the source? If it is, change the rex command to this and it should work

rex field=source "_\w+_(?<parameterName>\w+)\."
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...