Re: How to search a string

RGullur · ‎01-22-2025

Hi Community, please help me how to extract BOLD/underlines value from below string:

[2025-01-22 13:33:33,899] INFO Setting connector ABC_SOMECONNECTOR_CHANGE_EVENT_SRC_Q_V1 state to PAUSED (org.apache.kafka.connect.runtime.Worker:1391)

yuanliu · ‎01-25-2025

Combining everyone's suggestions, here is a command that is ready to go if that string is all you need:

| rex "Setting connector (<myfield>\S+)"

How strictly or loosely you want to set anchors and matches heavily depends on actual data and use case. This is just something to get you started.

isoutamo · ‎01-26-2025

regex101.com is excellent place to try how these rex are working or not. It also show execution cost of different versions and contains some other help.

bowesmana · ‎01-22-2025

As @dural_yyz says, the regex is easy - you can use this with the rex command

https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/rex

dural_yyz · ‎01-22-2025

The regex is simple enough.

^.*\sSetting\sconnector\s(?<connector_event>[^\s]+).*$

PickleRick · ‎01-22-2025

Anchoring the regex to the beginning of the string is not needed and actually significantly impacts the performance (match in 154 steps vs. 29 without the "^.*" part).

How to search a string

subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?