Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use Rex command to extract this field from ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use Rex command to extract this field from my sample log?
Abilan1
Path Finder
11-02-2015
05:27 AM
Hi,
Sample log file:
STD QBATCH:P GRAUT 77718 R5609812_S0000001_5847829
I want to create that highlighted term as a new event field. Only STD in that above line will be common in all over the logs, remaining words or characters may change. So I am not sure how to use Rex here. Also in the same indexed line it may occurs many time.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-02-2015
06:13 AM
Like this:
| rex "(?<myField>[^\s_]+_[^\s_]+)_[^\s_]+$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
11-02-2015
06:25 AM
@Abilan1 what @woodcock here has said will work - if you add a close parenthesis after the dollar sign. It will capture everything between the last whitespace and the end as "myField". You can then use substring or further rex to extract just the first parts of that field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
11-02-2015
05:53 AM
Are the number of whitespaces between the "STD" and the value you want consistent?
If yes, then this should do the trick:
... | rex "STD\s([^\s]+\s){3}(?P<your_field>([^_]+_){2}))"
It will store this R5609812_S0000001_ as the value of your_field. If you don't want the second underscore in your value, you can do the following:
... | eval your_field = substr(your_field,1,len(your_field)-1)
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Abilan1
Path Finder
11-02-2015
06:07 AM
hi,
Thanks for your reply! whitespaces will vary.it's not constant.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
11-02-2015
06:13 AM
Can you provide more samples then?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Abilan1
Path Finder
11-02-2015
06:17 AM
Please find below
STD QBATCH:P ALIUYFG 54902 R5641003_A0000002_5853971
STD QBATCH:P JUCHOI 158875 R5641003_A0000002_5870061
STD QBATCH:P GYLUT 23335 R5609811_A0000003_5871713
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
11-02-2015
06:24 AM
There are exactly 4 whitespaces between the "STD" and the value you want in every one of your samples. That seems pretty consistent.
Also can you clarify what you want to capture? Is it:
R5609811_A0000003_5871713
or
R5609811_A0000003_
or
R5609811_A0000003
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Abilan1
Path Finder
11-02-2015
06:54 AM
This one
R5609811_A0000003
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
11-02-2015
07:02 AM
Try this:
| rex "\s(?<myField>[^\s_]+_[^\s_]+)_"
Based off of @woodcock 's answer
@Abilan1 I had a typo, I have removed the second close parenthesis from my answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Abilan1
Path Finder
11-02-2015
07:08 AM
hi
I am getting "Regex: unmatched parentheses" error..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
11-02-2015
07:15 AM
I had a typo. I have edited my comment to remove it.
I had a second close parenthesis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Abilan1
Path Finder
11-02-2015
07:21 AM
hi,
Thank You! It is capturing only 1st record from that indexed line..As I said earlier, am having more records in the same line..
STD QBATCH:P ALIUYFG 54902 R5641003_A0000002_5853971
STD QBATCH:P JUCHOI 158875 R5641003_A0000002_5870061
STD QBATCH:P GYLUT 23335 R5609811_A0000003_5871713
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
11-02-2015
07:26 AM
Do you mean that a single Splunk event can contain multiple lines from which you want to capture said field?
So for example the three samples you have provided above are a single event?
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
