Solved: Re: Help with field extraction for specific start ...

joesrepsolc · ‎08-09-2019

Trying to extract the value of the 1st WORD in line 3 of each log (i.e. FAILURE or SUCCESS) and put that into a field extraction called "Status". The 3rd line will start with that word, then be followed by a colon, then a space.
REGEX skills still lacking. Trying to learn. Help anyone???

>Informational  August 9, 2019 9:45:40 AM CDT
Transaction "Name of Transaction" Summary:
FAILURE: Message failed at August 09, 2019 09:45:40 AM
Inbound transaction
Error scheduling linked transaction (TransactionName): Attempt to run TransactionName as linked job but it has 'Do Not Run' set.

>Informational  August 9, 2019 9:50:02 AM CDT
Transaction "Name of Transaction" Summary:
SUCCESS: TransactionName was successful at August 09, 2019 09:50:02 AM
Outbound transaction
Source files FTP'd from SOURCE to DESTINATION

gcusello · ‎08-09-2019

Hi joesrepsolc,
if your values are only SUCCESS or FAILURE, you could use something like this

(?ms)(?<my_field>FAILURE|SUCCESS):

test it at https://regex101.com/r/UEahRa/1

Bye.
Giuseppe

View solution in original post

jpolvino · ‎08-09-2019

This will give you whatever is after "Summary:" followed by 1 more more spaces:

| rex "Summary:\s+(?<Status>[^:]+):"

See link text

joesrepsolc · ‎08-09-2019

This works great for inline searches too. I was trying not to have to do this in every search though, so the field extraction method is working best for me. Still appreciate the quick answers too jpolvino.

I see the logic you're using too. So anything after the "Summary: " up to the next line up to the ":" right? Man, I need to understand this stuff better.

Thank you.

jpolvino · ‎08-09-2019

Glad Giuseppe's search worked for you. The strategy I used above is handy for may searches, where you are looking for a bunch of characters that are NOT something. In my example, the [^:]+ means "match 1 more more characters that does not include colon." This strategy is invaluable when working with delimiters such as space, comma, double quote, etc.

joesrepsolc · ‎08-09-2019

love it. I still get mixed up between characters, and whole words. Still learning. But this logic is very helpful. Thanks!

michael_schmidt · ‎08-09-2019

Regex101.com as shown in the links they provided will be your godsend when it comes to creating and testing regexes.

joesrepsolc · ‎08-09-2019

i am using that, just hard to figure out which commands/syntax works. When I copy/paste in the ones from this helpful community, they always work perfectly (annoying... haha). It's just getting to the point to know when to use what solution. I'll get there!!!

gcusello · ‎08-09-2019

Hi joesrepsolc,
if your values are only SUCCESS or FAILURE, you could use something like this

(?ms)(?<my_field>FAILURE|SUCCESS):

test it at https://regex101.com/r/UEahRa/1

Bye.
Giuseppe

joesrepsolc · ‎08-09-2019

WOW. that was fast and works perfect! dissecting the regex to understand. Always impressed on how helpful everyone is on this site. So thank you!

I was stuck on using the carrot ^ at the beginning of the line, guess that would still work though, just learning more about regex use in Splunk.

gcusello · ‎08-09-2019

Always at your disposal!
Bye and see next time.
Giuseppe

Help with field extraction for specific start line for log

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?