How to extract data from log message data using re...

AK_Splunk · ‎09-25-2022

How to extract data from log message data using rex field=_raw? Sample data is

Instance Name : ABCDEFGH1
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ampxwdp1o.pharma.aventis.com)(PORT=12345)))
Alias ABCDEFGH1
Uptime 4 days 6 hr. 39 min. 25 sec
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=113.09.126.234)(PORT=12345)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC12345)))
The command completed successfully
Instance Name : ABCDEFGH1TEMP
Instance Name : ABCDEFGQ1

I need to extract Instance name, Alias Uptime

AK_Splunk · ‎09-26-2022

hi @gcusello
Thanks for your response

The third line has alias feild

Instance Name : ABCDEFGH1
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ampxwdp1o.pharma.aventis.com)(PORT=12345)))
Alias ABCDEFGH1
Uptime 4 days 6 hr. 39 min. 25 sec
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=113.09.126.234)(PORT=12345)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC12345)))
The command completed successfully
Instance Name : ABCDEFGH1TEMP
Instance Name : ABCDEFGQ1

gcusello · ‎09-26-2022

Hi @AK_Splunk,

sorry, I don't know how I did to not see it!

Anyway, please try this:

| rex "Alias\s+(?<Alias>\w+)"

Ciao.

Giuseppe

AK_Splunk · ‎09-25-2022

Hi @gcusello
Thanks for your response means a lot.

| rex "(?ms)Instance\s+Name\s+:\s+(?<Instance_Name>\w+).*Uptime\s+(?<Uptime>.+)Listening"

using this regex help me extract the Instance_Name only in the correct format.
for uptime I am receiving output as below

4 days 6 hr. 39 min. 25 sec
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=113.09.126.234)(PORT=12345)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC12345)))
The command completed successfully
Instance Name : ABCDEFGH1TEMP
Instance Name : ABCDEFGQ1

I also have to extract the Alias name
I tried using | rex "Alias\s+(?<Alias)>.+)" for this I am getting below mentioned error.

Error in 'rex' command: Encountered the following error while compiling the regex 'Alias\s+(?<Alias)>.+)': Regex: syntax error in subpattern name (missing terminator).

Please assist me on the same.

gcusello · ‎09-26-2022

Hi @AK_Splunk,

abou the output you're receiving, in regex101 it correctly runs, I don't know why you the this output instead teh correct one, maybe try to use this, but it should be the same thig:

| rex "(?ms)Instance\s+Name\s+:\s+(?<Instance_Name>\w+).*Uptime\s+(?<Uptime>.+)Listening Endpoints Summary"

About the alias, I don't see any alias word in your logs and there's a wrong parethesis in the field name:

"Alias\s+(?<Alias)>.+)"

Ciao.

Giuseppe

gcusello · ‎09-25-2022

Hi @AK_Splunk,

if you want to extract all the Instance Names present in your logs, you have to use two different regexes:

| rex "Instance\s+Name\s+:\s+(?<Instance_Name>\w+)"
| rex "Uptime\s+(?<Uptime)>.+)"

that you can test athttps://regex101.com/r/vPWiOh/2 and https://regex101.com/r/vPWiOh/3

If instead you want to extract only the first Instance name, you can use

| rex "(?ms)Instance\s+Name\s+:\s+(?<Instance_Name>\w+).*Uptime\s+(?<Uptime>.+)Listening"

You can test this regex at https://regex101.com/r/vPWiOh/1

Anyway, you don't need to add field=_raw when you're searching on all the raw event.

Ciao.

Giuseppe

How to extract data from log message data using rex field=_raw? Sample data is

field extraction

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor