Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract event_id and STATUS?

jayakumar89
Explorer
‎10-30-2017 10:53 AM

I have a single row event that populates the below values and i would like to extract eventid=389643 and STATUS=FINISHED using regex. Could you help me with the regex pattern to extract these values.

2017-10-30 06:48:03,357 [pool-22-thread-1] INFO xxxxxxxxxxxxxxxxxxxxxxx - Email Sent
To : xxxxxxxxxxxxxxxxxxxxxxxx
From : xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject : Plan Status - 389643 FINISHED
Body : Plan Status - 389643 FINISHED

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎10-30-2017 11:02 AM

Try this

| rex Status\s\-\s(?<eventid>\d+)

| rex -\s\d+\s(?<STATUS>\w+)

Reply

s2_splunk
Splunk Employee
Splunk Employee
‎10-30-2017 10:59 AM

Try this: <yoursearch> | rex field=_raw "(?<eventID>\d+)\s(?<STATUS>\w+)$"

This assumes that there is nothing in the event after your status value (the RegEx anchors to the end of _raw)

Reply

cpetterborg
SplunkTrust
SplunkTrust
‎10-30-2017 11:16 AM 
... | rex "Subject : Plan Status - (?<eventID>\d+)\s(?<STATUS>\w+)"

will work if you have additional stuff after that last line.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...