Solved: Re: How to extract string from a position until th...

mdzmuran · ‎03-08-2017

I have lines like this:

[2011/02/11@10:33:13.978+0100] P-18679      T-0     I Usr     2: (49)    SYSTEM ERROR: Memory violation.

How can I extract the string beginning with "Memory viol" till the end of line? The string is one line only, but may be much longer with any characters.

DalJeanis · ‎03-08-2017

Your regex will look like this

| rex field=_raw "(?<myfield>Memory viol.*)$"

or you might prefer

| rex field=_raw "SYSTEM ERROR:\s+(?<myfield>.*)$"

Both of these assume that there will never be any fields after the system error. The $ at the end is a regex anchor for "the end of the field we are searching"

View solution in original post

DalJeanis · ‎03-08-2017

Your regex will look like this

| rex field=_raw "(?<myfield>Memory viol.*)$"

or you might prefer

| rex field=_raw "SYSTEM ERROR:\s+(?<myfield>.*)$"

Both of these assume that there will never be any fields after the system error. The $ at the end is a regex anchor for "the end of the field we are searching"

mdzmuran · ‎03-09-2017

Thanks. It works.

How to extract string from a position until the end of line?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to extract string from a position until the end of line?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES