Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract content between two strings?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
senthamilselvan
Engager
05-16-2017
10:22 AM
Hi Team,
I have an error message coming up in Splunk like below. The required log message will come in the middle of the line and i have to extract the content which lies between SQL0911N & SQLSTATE=40001 .
********* SQL0911N ##############. SQLSTATE=40001
Can you please help us to write rex to extract the fields in between the 2 strings. Please let me know if need more information.
Thanks & Regards
Senthamilselvan J
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-16-2017
12:16 PM
Like this:
... | rex "SQL\d+N\s*(?<YouFieldNameHere>.+)\s*SQLSTATE=\d+"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-16-2017
12:16 PM
Like this:
... | rex "SQL\d+N\s*(?<YouFieldNameHere>.+)\s*SQLSTATE=\d+"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
senthamilselvan
Engager
05-22-2017
02:44 AM
Thank you!! As of now we are getting output excluding the key values (SQL\d+N\s & SQLSTATE=\d+). But i want to display both the key values in the error message as well. Please let me know the rex to includes the key values also.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-22-2017
12:03 PM
... | rex "(?SQL\d+N)\s*(?.+)\s*SQLSTATE=(?\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
senthamilselvan
Engager
05-26-2017
06:52 AM
Hi Woodcock,
The search query is not working as expected, Still i am getting message excluding the two key values(SQL\d+N\s & SQLSTATE=\d).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-16-2017
11:02 AM
If those strings (SQL0911N & SQLSTATE=40001) are static/fixed, try like this for inline extraction in search
your base search | rex "SQL0911N\s*(?<YourFieldName>.+)\s*SQLSTATE=40001"
Get Updates on the Splunk Community!
Leveraging Detections from the Splunk Threat Research Team & Cisco Talos
Now On Demand
Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...
New in Splunk Observability Cloud: Automated Archiving for Unused Metrics
Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...
Calling All Security Pros: Ready to Race Through Boston?
Hey Splunkers,
.conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
