Re: How to extract a string in a variable

avneet26 · ‎08-22-2022

I have a table in which one of the columns has logs like below

2022-08-21 23:00:00.877 Warning: PooledThread::run: N4xdmp29ForestCheckSchemaDBChangeTaskE::run: XDMP-XDQPNOSESSION: No XDQP session on host iuserb.nl.eu.abnamro.com, client=iuserb.nl.eu.abnamro.com, request=moreLocators, session=2026168605646879816, target=5301003730415457210

I want to extract the term "XDMP-XDQPNOSESSION" into a variable and then later use it. How to do that using regex or any other option ?

avneet26 · ‎08-22-2022

Basically out of my base query, I want to extract this string put it in a variable and then pass it to create an alert e-mail , where-in this string will be passed to the e-mail title. How can I do that?

isoutamo · ‎08-22-2022

Hi

one way to do it:

... your base query
| rex "(::run:.*)+::run:(?<foo>[^:]+)"

Then you have this string on field foo.

r. Ismo

avneet26 · ‎08-24-2022

what is run here?

ITWhisperer · ‎08-24-2022

"run" is taken from your example log event - it precedes "XDMP-XDQPNOSESSION" (the string you wanted to extract), but because it appears twice in your example, it needs to appear twice in the rex matching string to anchor the extract.

How to extract a string in a variable

regex

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation