Solved: Help with regex needed

damucka · ‎11-15-2021

Hello,

We have Django logs in following format:

11/15/2021 08:34:38 [INFO - 171 ] - [tenant_move.py] - [STOP_PROCESS] : STOP_PROCESS(HANA Tenant Move Alerts) completed successfully - Rows affected : 1

and we would like to extract the following fields using regex, on the above example:

TYPE=INFO

LINE=171

SCRIPT=tenant_move.py

MODULE=STOP_PROCESS

.. ideally using single regex expression and not 4 separate.

Could anyone help?

Kind regards,

Kamil

gcusello · ‎11-15-2021

Hi @damucka,

please try this regex:

| rex "\d+\/\d+\/\d+\s+\d+:\d+:\d+\s+\[(?<TYPE>\w+)\s+-\s+(?<LINE>\d+)[^\[]+\[(?<SCRIPT>[^\]]+)[^\[]+\[(?<MODULE>[^\]]+)"

that you can test at https://regex101.com/r/cM1Jwj/1

Ciao.

Giuseppe

View solution in original post

gcusello · ‎11-15-2021

Hi @damucka,

please try this regex:

| rex "\d+\/\d+\/\d+\s+\d+:\d+:\d+\s+\[(?<TYPE>\w+)\s+-\s+(?<LINE>\d+)[^\[]+\[(?<SCRIPT>[^\]]+)[^\[]+\[(?<MODULE>[^\]]+)"

that you can test at https://regex101.com/r/cM1Jwj/1

Ciao.

Giuseppe

gcusello · ‎11-15-2021

Hi @damucka,

good for you, see next time!
Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Help with regex needed

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation

Help with regex needed

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!