Solved: How to extract the prefixed words from logs

prettysunshinez · ‎12-01-2019

Hi All,
I require help in extracting the words that appear right before the word.
Example:
Null.set.error
Nullerror
Set-get-error
Timed out error
Unknown - error

From the above,the expected result is
Null.set
Null
Set-get
Timed out
Unknown

Kindly help me with this.

Thanks!

MuS · ‎12-01-2019

Hi prettysunshinez,

Based on the provided examples, give this a try:

your search here | rex "(?<ThisIsWhatYouWant>.+?)[\s\.-]*error"

Hope this helps ...

cheers, MuS

UPDATE After some feedback and new examples the correct regex is:

 your search here | rex "(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"

View solution in original post

woodcock · ‎12-01-2019

Like this:

... | rex ":\s*(?<error_prefix>.*?)[^A-z]+\s+error"

MuS · ‎12-01-2019

Hi prettysunshinez,

Based on the provided examples, give this a try:

your search here | rex "(?<ThisIsWhatYouWant>.+?)[\s\.-]*error"

Hope this helps ...

cheers, MuS

UPDATE After some feedback and new examples the correct regex is:

 your search here | rex "(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"

prettysunshinez · ‎12-05-2019

Hi @MuS,
Thanks for your help.
This seems to work but this seems to capture all the words that are present before the word error

For Example:
In the below log,
Could not complete.Reason : Null.set.error

The expected is only Null.set but the its extracting me 'Could not complete.Reason : Null.set'

Likewise for the others also.

Could you kindly help.

MuS · ‎12-05-2019

Hi prettysunshinez,

well you did not provided that example in your question so my regex was based on what you provided 😉 But try this regex :

 "(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"

this will also match correctly with the new example that you just provided 🙂

cheers, MuS

prettysunshinez · ‎12-05-2019

Hi @MuS
Thanks! This works fine 🙂

MuS · ‎12-05-2019

You're welcome and thank you 🙂

cheers, MuS

woodcock · ‎12-05-2019

I updated my answer.

prettysunshinez · ‎12-05-2019

Hi @Noah_Woodcock

Think you have got me wrong.
I wanted to extract only the very first word that comes before the word error.

So in my initial question,I have shared the sample as below.

Null.set.error
Nullerror
Set-get-error
Timed out error
Unknown - error

and the regex that has been suggested (rex "(?.+?)[\s.-]*error") seem to capture everything that is present before the word error.

For Example:
In the below log,
Could not complete.Reason : Null.set.error

The expected is only Null.set but the its extracting me 'Could not complete.Reason : Null.set'

How to extract the prefixed words from logs

Reduce and Transform Your Firewall Data with Splunk Data Management

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Are you a member of the Splunk Community?

How to extract the prefixed words from logs

Reduce and Transform Your Firewall Data with Splunk Data Management

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions