Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to REX an entire line if it contains a keyword

like2splunk
Explorer
‎04-18-2017 03:21 AM

I want to REX an entire line if it contains a particular keyword. The event looks like this:

2017-03-08 10:34:34,067 [ WARN] {Application Queue} (com.iba.tcs.beam.bds.devices.impl.gateway.rpc.ScanningControllerProxy) - ScanningController failure: NECU Transitioned to Error State
NECU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83
FCU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83
RCU Error: [0x1] Threshold Violation : Timeslice: 162 Submap: 83
(X_VOLT_SEC_FB: -1.858963 V MapThresholdLow: -6.005e-02 MapThresholdHigh: 4.256e-01)
SGCU Error: [0x10] _FilteringAbsolute : Timeslice: 159 Submap: 83
(MIN_CHARGE_PRIM: 6.159e-10 C AbsoluteThresholdLow: 7.119e-10 AbsoluteThresholdHigh: 7.569e-10)

This is one single event (one timestamp) with five total lines. I want to rex each one of the errors separately but I need to preserve the label. For example, I want the following the be the result of the rex from this event:

FCU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83

In this case, the keyword is "FCU Error" but I need to keep that string instead of rexing everything after this string.
How do I rex the entire line if it matches this keyword?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-18-2017 07:04 AM

This works for me in regex101.com:

(?<error>FCU Error: .*)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-18-2017 08:36 AM

How about this?
If the order of different types of error is fixed, they try like this

Your base search
| rex "NECU Error:\s*(?<NECU_ERROR>.+)([\r\n]+)FCU Error:\s*(?<FCU_Error>.+)([\r\n]+)RCU Error:\s*(?<RCU_Error>.+)([\r\n]+)SGCU Error:\s*(?<SGCU_Error>.+)"

If not then, try like htis

your base search
| rex "NECU Error:\s*(?<NECU_ERROR>.+)"
| rex "FCU Error:\s*(?<FCU_Error>.+)"
| rex "RCU Error:\s*(?<RCU_Error>.+)"
| rex "SGCU Error:\s*(?<SGCU_Error>.+)"
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-18-2017 07:04 AM

This works for me in regex101.com:

(?<error>FCU Error: .*)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...