Splunk Search

How to edit my regular expression to extract these fields from my sample data using rex?

Communicator

Looking for some help with rex. The raw data looks like this,

value= Name : SiteScope.exe MemGB : 6568 Name : powershell_ise.exe MemGB : 153 Name : WmiPrvSE.exe MemGB : 146 Name : powershell_ise.exe MemGB : 143 Name : powershell.exe MemGB : 98 17496 Mon Aug 08 15:30:38 2016 stopping 17496 end perfex 31:19    0   3583    3583    Name : SiteScope.exe MemGB : 6568 Name : powershell_ise.exe MemGB : 153 Name : WmiPrvSE.exe MemGB : 146 Name : powershell_ise.exe MemGB : 143 Name : powershell.exe MemGB : 98 17496 Mon Aug 08 15:30:38 2016 stopping 17496 end perfex

I tried Name\s:\s+(?\w+.exe\s\w+\s+:\s\d+) regex which works fine in regex tested, but Splunk is not extracting the fields. I want to use max_match=0 so that it picks all the process name and memory usage. If the rex works fine, it should show result like below,

SiteScope.exe MemGB : 6568
powershell.exe MemGB : 98
WmiPrvSE.exe MemGB : 146

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Give this a try

your base search | rex max_match=0 "Name\s+:\s+(?<Process>\S+)\s+MemGB\s+:\s+(?<MemGB>\d+)" | table Process MemGB

View solution in original post

SplunkTrust
SplunkTrust

Give this a try

your base search | rex max_match=0 "Name\s+:\s+(?<Process>\S+)\s+MemGB\s+:\s+(?<MemGB>\d+)" | table Process MemGB

View solution in original post

Communicator

That worked. Thank you very much.

0 Karma

SplunkTrust
SplunkTrust

What does your query look like?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Ultra Champion

It seems the thing you tried didn't have a name to assign the capture group to. Notice in the correct answer (below) that there's a <Process> and <MemGB> after the capture group starts.

0 Karma