Solved: How to extract content between two strings?

senthamilselvan · ‎05-16-2017

Hi Team,

I have an error message coming up in Splunk like below. The required log message will come in the middle of the line and i have to extract the content which lies between SQL0911N & SQLSTATE=40001 .

********* SQL0911N  ##############.  SQLSTATE=40001

Can you please help us to write rex to extract the fields in between the 2 strings. Please let me know if need more information.

Thanks & Regards
Senthamilselvan J

woodcock · ‎05-16-2017

Like this:

... | rex "SQL\d+N\s*(?<YouFieldNameHere>.+)\s*SQLSTATE=\d+"

View solution in original post

woodcock · ‎05-16-2017

Like this:

... | rex "SQL\d+N\s*(?<YouFieldNameHere>.+)\s*SQLSTATE=\d+"

senthamilselvan · ‎05-22-2017

Thank you!! As of now we are getting output excluding the key values (SQL\d+N\s & SQLSTATE=\d+). But i want to display both the key values in the error message as well. Please let me know the rex to includes the key values also.

woodcock · ‎05-22-2017

... | rex "(?SQL\d+N)\s*(?.+)\s*SQLSTATE=(?\d+)"

senthamilselvan · ‎05-26-2017

Hi Woodcock,

The search query is not working as expected, Still i am getting message excluding the two key values(SQL\d+N\s & SQLSTATE=\d).

somesoni2 · ‎05-16-2017

If those strings (SQL0911N & SQLSTATE=40001) are static/fixed, try like this for inline extraction in search

your base search | rex "SQL0911N\s*(?<YourFieldName>.+)\s*SQLSTATE=40001"

How to extract content between two strings?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies