I want to create a field which extract values, however I have some field values that I want to extract which contain more than one word.
For instance:
I want the 'auth' and 'SECURE AUDIT' values to be considered as part of the same field that I am going to create. However I got the field extraction error message: "The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings."
Basically I want to extract the text between the yellow boxed text and the value '0' to be added as a field.
How can I add the field such that I don't get the error?
Splunk only highlighted the first word 'SECURE' instead of 'SECURE AUDIT', which is not what I want.
Output with the following regex suggested:
(?:[^\s]+\s){2}(?P[^\s]+(?:\s\w+)?)\s\d+\s+<
I tried to modify the regex by removing the 'w', and it highlighted only the 'auth' texts and 'AUDIT' without the 'SECURE'
To display the result output I have removed my second image as Splunk only allows two image files uploaded.
Regular expression generated by Splunk:
^(?:[^ \n]* ){3}(?P\w+\s+\w+)
I realized the regex suggested by one user extracted wrongly as he/she did not include < 37 > 1 at the front of the lines as indicated in my text line. The wording got misaligned and hence the wrong extraction.
https://regex101.com/r/biHi9a/4
The link above is the correct sample text that I want to work with. Would appreciate any help to modify it to achieve my desired results.
Here it is a working complete example with the extraction of "field1"
| makeresults count=2
| streamstats count
| eval _raw=case(count==1,"<37> 1 2018-04-23T08:08:08Z E876876876 SECURE AUDIT 0 <secure audit error> [cdkncdckne dckmdkcmd]",count==2,"<37> 1 2018-04-23T08:08:08Z E876876876 auth 0 <login> [kdnckn rrgrr]
<37> 1 2018-04-23T08:08:08Z E876876876 auth 0 <login> [kdnckn rrgrr]")
| rex field=_raw "<\d+>\s+\d+\s+(?:[^\s]+\s){2}(?P<field1>[^\s]+(?:\s+\w+)*)\s\d+\s+<"
