Solved: How to convert a working rex statement to a field ...

ebailey · ‎12-28-2015

Sample data:

12/28/2015 11:39:14.113 -0600
collection="MSMQ Queue"
object="MSMQ Queue"
counter="Messages in Queue"
instance="hostname"\private$\test_test_1062
Value=4

I have a working rex that extracts test_test_1062 to the following:

queueName=test_test_1062

using this rex:

| rex field=instance \\\(?<queueName>[^\\]+)$\"

If I try to convert this to a field extraction, I get the following error message

Encountered the following error while trying to update: In handler 'props-extract': Regex: unmatched parentheses

If I remove a slash from each group of slashes then I can save the field extraction, but then the result is not accurate and the last line is captured so I get this

queueName=test_test_1062 Value=4

The instance field has several variations, so I cannot get the IFX to work correctly once I load all the variations into it. Basically I just need all the text after private$ until a white space occurs, but I cannot figure out how to make that happen and also work as a field extraction.

Thanks!

richgalloway · ‎12-28-2015

This worked for me. I just replaced the '$' with '\s' to get everything until the next white space.

\\(?<queueName>[^\\]+)\s

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-28-2015

This worked for me. I just replaced the '$' with '\s' to get everything until the next white space.

\\(?<queueName>[^\\]+)\s

---
If this reply helps you, Karma would be appreciated.

ebailey · ‎01-04-2016

perfect - thanks

How to convert a working rex statement to a field extraction?

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices