Solved: How do you make a regex expression to capture ever...

MikaJustasACN · ‎10-27-2018

Hello,

Cannot crack this one. I have the following event:

Fri Oct 26 07:19:41 2018
STATS: GATHER_STATS_JOB encountered errors. Check the trace file.
Errors in file G:\lumpy\bumpy\ykt\ttee\hee\trace.trc:

Code: timeout occurred

This an example event, and it does not have the exact character matches or exact number of lines, so basically I need to pick everything after the year \d{4}. Even If I set to ignore the line new line, it always extracts only the first line after the timestamp, but never all the lines. In regex101 it works fine.

rex I am using: | rex field=_raw "\n(?(.|\n)*)"

MikaJustasACN · ‎10-27-2018

The following rex did the trick. it was not new line \n but some other stuff (one or several of [\r\n\t\f\v ] )

\d{2}\s\d{2}:\d{2}:\d{2}\s\d{4}\s(?(.+|\s)*)

If anyone sees how this can be improved, would be great 🙂

View solution in original post

renjith_nair · ‎10-27-2018

@MikaJustasACN ,

Try this in splunk,

rex field=_raw "\d{4}(?<MY_FIELD>(.|\s)*)"

Extract everything after the "year" field

---
What goes around comes around. If it helps, hit it with Karma 🙂

MikaJustasACN · ‎10-27-2018

The following rex did the trick. it was not new line \n but some other stuff (one or several of [\r\n\t\f\v ] )

\d{2}\s\d{2}:\d{2}:\d{2}\s\d{4}\s(?(.+|\s)*)

If anyone sees how this can be improved, would be great 🙂

How do you make a regex expression to capture everything after the timestamp?

Cannot crack this one. I have the following event:

Code: timeout occurred

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?