Re: How to extract a string in a variable

avneet26 · ‎08-22-2022

I have a table in which one of the columns has logs like below

2022-08-21 23:00:00.877 Warning: PooledThread::run: N4xdmp29ForestCheckSchemaDBChangeTaskE::run: XDMP-XDQPNOSESSION: No XDQP session on host iuserb.nl.eu.abnamro.com, client=iuserb.nl.eu.abnamro.com, request=moreLocators, session=2026168605646879816, target=5301003730415457210

I want to extract the term "XDMP-XDQPNOSESSION" into a variable and then later use it. How to do that using regex or any other option ?

avneet26 · ‎08-22-2022

Basically out of my base query, I want to extract this string put it in a variable and then pass it to create an alert e-mail , where-in this string will be passed to the e-mail title. How can I do that?

isoutamo · ‎08-22-2022

Hi

one way to do it:

... your base query
| rex "(::run:.*)+::run:(?<foo>[^:]+)"

Then you have this string on field foo.

r. Ismo

avneet26 · ‎08-24-2022

what is run here?

ITWhisperer · ‎08-24-2022

"run" is taken from your example log event - it precedes "XDMP-XDQPNOSESSION" (the string you wanted to extract), but because it appears twice in your example, it needs to appear twice in the rex matching string to anchor the extract.

How to extract a string in a variable

regex

subsearch

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...