Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract content between two strings?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
senthamilselvan
Engager
05-16-2017
10:22 AM
Hi Team,
I have an error message coming up in Splunk like below. The required log message will come in the middle of the line and i have to extract the content which lies between SQL0911N & SQLSTATE=40001 .
********* SQL0911N ##############. SQLSTATE=40001
Can you please help us to write rex to extract the fields in between the 2 strings. Please let me know if need more information.
Thanks & Regards
Senthamilselvan J
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-16-2017
12:16 PM
Like this:
... | rex "SQL\d+N\s*(?<YouFieldNameHere>.+)\s*SQLSTATE=\d+"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-16-2017
12:16 PM
Like this:
... | rex "SQL\d+N\s*(?<YouFieldNameHere>.+)\s*SQLSTATE=\d+"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
senthamilselvan
Engager
05-22-2017
02:44 AM
Thank you!! As of now we are getting output excluding the key values (SQL\d+N\s & SQLSTATE=\d+). But i want to display both the key values in the error message as well. Please let me know the rex to includes the key values also.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-22-2017
12:03 PM
... | rex "(?SQL\d+N)\s*(?.+)\s*SQLSTATE=(?\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
senthamilselvan
Engager
05-26-2017
06:52 AM
Hi Woodcock,
The search query is not working as expected, Still i am getting message excluding the two key values(SQL\d+N\s & SQLSTATE=\d).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-16-2017
11:02 AM
If those strings (SQL0911N & SQLSTATE=40001) are static/fixed, try like this for inline extraction in search
your base search | rex "SQL0911N\s*(?<YourFieldName>.+)\s*SQLSTATE=40001"
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
