Solved: How to extract the following fields?

sphiwee · ‎02-09-2022

2022-02-03 12:07:12 [machine-run-00000-hit-000000-step-00000] [[Card Onboarding] CCC Capture - Logging Framework] [Card Onboarding business process v3.0.0_logging (CardOnboardingCPSCapture)] [CC00] CardOnboardingCPSCaptureRobot [ERROR] Error CPS NOT AVAILABLE on CPS screen UNKNOWN

Need to extract the above highlighted fields please
2022-02-03 12:07:12 - Date

[Card Onboarding] CCC Capture - Logging Framework - Process

Card Onboarding business process v3.0.0_logging (CardOnboardingCPSCapture) - Step

CC00 - User

ERROR - Log_Level

ITWhisperer · ‎02-09-2022

| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s+\[(?<Process>\[[^\]]+\][^\]]+)\]\s+\[(?<Step>[^\]]+)\]\s+\[(?<User>[^\]]+)\]\s+[^\[]+\[(?<Log_level>[^\]]+)"

View solution in original post

gcusello · ‎02-09-2022

Hi @sphiwee,

please try this regex:

| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s+\[(?<Process>[^\]]+)\]\s+\[(?<Step>[^\]]+)\]\s+\[(?<User>[^\]]+)\]\s+[^\[]+\[(?<Log_level>[^\]]+)"

that you can test at https://regex101.com/r/Dsqil2/1

Ciao.

Giuseppe

sphiwee · ‎02-09-2022

getting back an empty result

ITWhisperer · ‎02-09-2022

| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s+\[(?<Process>\[[^\]]+\][^\]]+)\]\s+\[(?<Step>[^\]]+)\]\s+\[(?<User>[^\]]+)\]\s+[^\[]+\[(?<Log_level>[^\]]+)"

How to extract the following fields?

field extraction

fields

search job inspector

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas