Splunk Search

Help with field extraction for specific start line for log

joesrepsolc
Communicator

Trying to extract the value of the 1st WORD in line 3 of each log (i.e. FAILURE or SUCCESS) and put that into a field extraction called "Status". The 3rd line will start with that word, then be followed by a colon, then a space.
REGEX skills still lacking. Trying to learn. Help anyone???

>Informational  August 9, 2019 9:45:40 AM CDT
Transaction "Name of Transaction" Summary:
FAILURE: Message failed at August 09, 2019 09:45:40 AM
Inbound transaction
Error scheduling linked transaction (TransactionName): Attempt to run TransactionName as linked job but it has 'Do Not Run' set.

>Informational  August 9, 2019 9:50:02 AM CDT
Transaction "Name of Transaction" Summary:
SUCCESS: TransactionName was successful at August 09, 2019 09:50:02 AM
Outbound transaction
Source files FTP'd from SOURCE to DESTINATION
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi joesrepsolc,
if your values are only SUCCESS or FAILURE, you could use something like this

(?ms)(?<my_field>FAILURE|SUCCESS):

test it at https://regex101.com/r/UEahRa/1

Bye.
Giuseppe

View solution in original post

jpolvino
Builder

This will give you whatever is after "Summary:" followed by 1 more more spaces:

| rex "Summary:\s+(?<Status>[^:]+):"

See link text

0 Karma

joesrepsolc
Communicator

This works great for inline searches too. I was trying not to have to do this in every search though, so the field extraction method is working best for me. Still appreciate the quick answers too jpolvino.

I see the logic you're using too. So anything after the "Summary: " up to the next line up to the ":" right? Man, I need to understand this stuff better.

Thank you.

0 Karma

jpolvino
Builder

Glad Giuseppe's search worked for you. The strategy I used above is handy for may searches, where you are looking for a bunch of characters that are NOT something. In my example, the [^:]+ means "match 1 more more characters that does not include colon." This strategy is invaluable when working with delimiters such as space, comma, double quote, etc.

0 Karma

joesrepsolc
Communicator

love it. I still get mixed up between characters, and whole words. Still learning. But this logic is very helpful. Thanks!

0 Karma

michael_schmidt
Path Finder

Regex101.com as shown in the links they provided will be your godsend when it comes to creating and testing regexes.

0 Karma

joesrepsolc
Communicator

i am using that, just hard to figure out which commands/syntax works. When I copy/paste in the ones from this helpful community, they always work perfectly (annoying... haha). It's just getting to the point to know when to use what solution. I'll get there!!!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi joesrepsolc,
if your values are only SUCCESS or FAILURE, you could use something like this

(?ms)(?<my_field>FAILURE|SUCCESS):

test it at https://regex101.com/r/UEahRa/1

Bye.
Giuseppe

joesrepsolc
Communicator

WOW. that was fast and works perfect! dissecting the regex to understand. Always impressed on how helpful everyone is on this site. So thank you!

I was stuck on using the carrot ^ at the beginning of the line, guess that would still work though, just learning more about regex use in Splunk.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Always at your disposal!
Bye and see next time.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...