Solved: Re: How to extract string from a position until th...

mdzmuran · ‎03-08-2017

I have lines like this:

[2011/02/11@10:33:13.978+0100] P-18679      T-0     I Usr     2: (49)    SYSTEM ERROR: Memory violation.

How can I extract the string beginning with "Memory viol" till the end of line? The string is one line only, but may be much longer with any characters.

DalJeanis · ‎03-08-2017

Your regex will look like this

| rex field=_raw "(?<myfield>Memory viol.*)$"

or you might prefer

| rex field=_raw "SYSTEM ERROR:\s+(?<myfield>.*)$"

Both of these assume that there will never be any fields after the system error. The $ at the end is a regex anchor for "the end of the field we are searching"

View solution in original post

DalJeanis · ‎03-08-2017

Your regex will look like this

| rex field=_raw "(?<myfield>Memory viol.*)$"

or you might prefer

| rex field=_raw "SYSTEM ERROR:\s+(?<myfield>.*)$"

Both of these assume that there will never be any fields after the system error. The $ at the end is a regex anchor for "the end of the field we are searching"

mdzmuran · ‎03-09-2017

Thanks. It works.

How to extract string from a position until the end of line?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to extract string from a position until the end of line?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...