Solved: How do I extract this field from my sample data?

splgeek · ‎10-26-2016

I want to extract the PHP Message as a field so I can have all the various php error messages:

2016/10/20 21:23:18 [error] 26550#26550: *9254611 FastCGI sent in stderr: "PHP message: PHP Warning:  trim() expects parameter 1 to be string, array given in /var/www/html/xx/xxxx-xx.xxxx.xxx.com/wordpress/wp-includes/option.php on line 247" while reading response header from upstream, client: 0.0.0.00, server: _, request: "GET / HTTP/1.1", upstream: "fastcgi://000.0.0.1:9000", host: "xxx.xx.com"

somesoni2 · ‎10-26-2016

Give this a try

your base search | rex "PHP message\: (?<PHPError>[^\"]+)"

View solution in original post

somesoni2 · ‎10-26-2016

Give this a try

your base search | rex "PHP message\: (?<PHPError>[^\"]+)"

splgeek · ‎10-26-2016

thanks
that did work
so this could not have been possible with the IFX right?

somesoni2 · ‎10-26-2016

I think it would. Be sure to select the whole string that you want to extract OR you can specify your own regex (this one) in the IFX to save it.

How do I extract this field from my sample data?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...