Solved: How to create a search for the fields using regex?

damucka · ‎03-13-2019

Hello,

I have the following string pattern (source):

/trace/DB_BWP/xsengine_ls5925.30246.crashdump.20190312-213001.009072.trc

Now I need to create at search following fields:
- DBSID, being "BWP" in this case
- servis, being the "xsengine"
- filename, being "xsengine_ls5925.30246.crashdump.20190312-213001.009072.trc"

For the filename I managed to find the following:

 | rex field=source "(?<filename>[\w\d\.-]+$)"

But somehow I struggle with the first two ...

Kind Regards,
Kamil

vnravikumar · ‎03-13-2019

Hi @damucka

Try like

| makeresults 
| eval log="/trace/DB_BWP/xsengine_ls5925.30246.crashdump.20190312-213001.009072.trc" 
| rex field=log "\/.+_(?P<DBSID>.+)\/(?P<servis>.+)\_(?<filename>.+)$" 
| eval filename = servis."_".filename

View solution in original post

vnravikumar · ‎03-13-2019

Hi @damucka

Try like

| makeresults 
| eval log="/trace/DB_BWP/xsengine_ls5925.30246.crashdump.20190312-213001.009072.trc" 
| rex field=log "\/.+_(?P<DBSID>.+)\/(?P<servis>.+)\_(?<filename>.+)$" 
| eval filename = servis."_".filename

damucka · ‎03-14-2019

Hi @vnravikumar

Thank you, it work fine.

Kind regards,
Kamil

How to create a search for the fields using regex?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to create a search for the fields using regex?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...