Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the prefixed words from logs

prettysunshinez
Explorer
‎12-01-2019 09:39 AM

Hi All,
I require help in extracting the words that appear right before the word.
Example:
Null.set.error
Nullerror
Set-get-error
Timed out error
Unknown - error

From the above,the expected result is
Null.set
Null
Set-get
Timed out
Unknown

Kindly help me with this.

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-01-2019 12:32 PM

Hi prettysunshinez,

Based on the provided examples, give this a try:

your search here | rex "(?<ThisIsWhatYouWant>.+?)[\s\.-]*error"

Hope this helps ...

cheers, MuS

UPDATE After some feedback and new examples the correct regex is:

 your search here | rex "(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-01-2019 02:55 PM

Like this:

... | rex ":\s*(?<error_prefix>.*?)[^A-z]+\s+error"
0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-01-2019 12:32 PM

Hi prettysunshinez,

Based on the provided examples, give this a try:

your search here | rex "(?<ThisIsWhatYouWant>.+?)[\s\.-]*error"

Hope this helps ...

cheers, MuS

UPDATE After some feedback and new examples the correct regex is:

 your search here | rex "(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"
0 Karma
Reply
Solved! Jump to solution

prettysunshinez
Explorer
‎12-05-2019 07:46 AM

Hi @MuS,
Thanks for your help.
This seems to work but this seems to capture all the words that are present before the word error

For Example:
In the below log,
Could not complete.Reason : Null.set.error

The expected is only Null.set but the its extracting me 'Could not complete.Reason : Null.set'

Likewise for the others also.

Could you kindly help.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-05-2019 09:46 AM

Hi prettysunshinez,

well you did not provided that example in your question so my regex was based on what you provided 😉 But try this regex :

 "(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"

this will also match correctly with the new example that you just provided 🙂

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

prettysunshinez
Explorer
‎12-05-2019 10:00 AM

Hi @MuS
Thanks! This works fine 🙂

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-05-2019 10:05 AM

You're welcome and thank you 🙂

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-05-2019 07:57 AM

I updated my answer.

0 Karma
Reply
Solved! Jump to solution

prettysunshinez
Explorer
‎12-05-2019 08:25 AM

Hi @Noah_Woodcock

Think you have got me wrong.
I wanted to extract only the very first word that comes before the word error.

So in my initial question,I have shared the sample as below.

Null.set.error
Nullerror
Set-get-error
Timed out error
Unknown - error

and the regex that has been suggested (rex "(?.+?)[\s.-]*error") seem to capture everything that is present before the word error.

For Example:
In the below log,
Could not complete.Reason : Null.set.error

The expected is only Null.set but the its extracting me 'Could not complete.Reason : Null.set'

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...