Solved: How to extract a word from raw data in Splunk usin...

kavyamohan · ‎10-21-2019

SVSCPLEX,S0W1,S0W1.DAL-EBIS.IHOST.COM,SYSLOG,zOS-SYSLOG-Console,SYSLOG,-0400,NE,001C,19283 01.21.46.880 -0500,S0W1 ,JOB03487, ,40000000000000000000000000000000,00000090,TESCREAT,00," IEF450I TESCREAT STEP010 - ABEND=S222 U0000 REASON=00000000"\n. I want to extract this TESCREAT from the above given. I was able to write rex, but iam getting error while using the below rex field. Can you help me where I am missing.

| rex field=_raw ^[^"\n]*"\s+\w+\d+\w+\s+(?P\w+)

gcusello · ‎10-21-2019

Hi kavyamohan,
try this

| rex "([^,]*,){15}(?<my_field>[^,]*),"

you can test it at https://regex101.com/r/Dul1S5/1

ciao.
Giuseppe

View solution in original post

gcusello · ‎10-21-2019

Hi kavyamohan,
try this

| rex "([^,]*,){15}(?<my_field>[^,]*),"

you can test it at https://regex101.com/r/Dul1S5/1

ciao.
Giuseppe

kavyamohan · ‎10-21-2019

Thank you so much. It worked, where can I practice and learn writing rex?

gcusello · ‎10-21-2019

Hi kavyamohan,
you can use regex101 to test your regexes and this is the most important site to use!
.
About a tutorial, you can search on Internet using Google, anyway I used this https://www.regular-expressions.info/

If you want a quick reference guide (very quick for regexes but there are many information also on Splunk), you can use https://www.splunk.com/pdfs/solution-guides/splunk-quick-reference-guide.pdf .

Ciao.
Giuseppe

kavyamohan · ‎10-21-2019

ok Thank you so much. Will check on it:)

How to extract a word from raw data in Splunk using rex

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services