Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my regex to extract this value from my data?

ibekacyril
Explorer
‎04-07-2016 11:54 AM

This should be an easy thing to do but obviously, I am missing it. I need to extract "cannot be located"

c.f.a.k.m.SessionDaoImpl - The owner with id: s3498-34ef-034456d-c65a5678-fcd4-11e5-a5d4f cannot be located

[2016-04-07 15:41:44,760]​

Here is my code:

my search | rex  "c\.f\.a\.k\.m\.SessionDaoImpl\s\-\sThe\sowner\swith\sid:\s[\w+\d+]\s(?<captureThis>\w+)"\[

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-07-2016 12:12 PM

Try this instead:

my search 
| rex "(?msi):\s+[\w\-]+\s+(?<message>[\w\s]+)"

And then use the message variable as you wish.

EDIT to include code description as requested:

(?msi) --> support for multiline, "single line mode" makes the dot match all characters including line breaks, case insensitive
:\s+ --> find a colon followed by multiple blank spaces
[\w\-]+\s+ --> Look for 1 or more alphanumerical characters or hyphens followed by 1 or more blanks
(?<message>[\w\s]+) --> capture in the token message 1 or more alphanumerical or blank space characters

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-07-2016 12:12 PM

Try this instead:

my search 
| rex "(?msi):\s+[\w\-]+\s+(?<message>[\w\s]+)"

And then use the message variable as you wish.

EDIT to include code description as requested:

(?msi) --> support for multiline, "single line mode" makes the dot match all characters including line breaks, case insensitive
:\s+ --> find a colon followed by multiple blank spaces
[\w\-]+\s+ --> Look for 1 or more alphanumerical characters or hyphens followed by 1 or more blanks
(?<message>[\w\s]+) --> capture in the token message 1 or more alphanumerical or blank space characters
Reply
Solved! Jump to solution

ibekacyril
Explorer
‎04-07-2016 01:10 PM

Hi javiergn, I am only able to extract doesn. Could you explain you code too?
Thanks

0 Karma
Reply
Solved! Jump to solution

ibekacyril
Explorer
‎04-07-2016 01:14 PM

Just tweaked it and got "doesn't exist" by adding \'. How can I tweak it to get:
The owner with id doesn't exist

Thanks

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-07-2016 01:34 PM

Hi,

I'm not sure what you mean. For instance, if I run the following in order to replicate your logs:

| stats count
| eval _raw ="c.f.a.k.m.SessionDaoImpl - The owner with id: s3498-34ef-034456d-c65a5678-fcd4-11e5-a5d4f cannot be located [2016-04-07 15:41:44,760]​"
| rex "(?msi):\s+[\w\-]+\s+(?<message>[\w\s]+)"
| table message

I get the output:

message
cannot be located

Isn't that what you are trying to achieve?
If not, can you post your whole query here so that we can investigate a bit more?

Thanks,
J

0 Karma
Reply
Solved! Jump to solution

ibekacyril
Explorer
‎04-08-2016 07:39 AM

Hi J, I finally got it working. Thanks, it was my mistake

0 Karma
Reply
Solved! Jump to solution

ibekacyril
Explorer
‎04-08-2016 08:15 AM

Hi J, is there a way of combining two rex searches together say the first one like above and then I have this second rex "[Status] .+? - (?.+)" | code that combines message and output into one name (outMessage)

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-09-2016 05:59 AM

You could do something like:

your search here
| rex "(?msi):\s+[\w\-]+\s+(?<message>[\w\s]+)"
| rex "\[Status\] .+?\-(?<output>.+)"
| eval outMessage = message + output

Careful with your regex by the way. If you don't escape the special characters it won't work as expected.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...