Splunk Search

How to use regex to extract field?

Builder

HI How to extract the field with space using regex?

name:
T11345DDF ERROR
T11345SSDF Volume C

values:
123455-25335535-55454545-5656566-45655-36565656-6656-488656 TPM

I need to extract T11345DDF , T11345SSDF , 123455-25335535-55454545-5656566-45655-36565656-6656-488656

Tags (1)
0 Karma
1 Solution

Motivator

Let's say that it is always the first word in each event line then can you try this please:

your query to return events
| rex "^(?<myField>[^\s]+)\s*"
| table myField

See extraction here

View solution in original post

0 Karma

Path Finder

If you need more flexibility you might need to create fields extractions. If it was me, I would create 3 separate field extractions.

- (?P<error>.*?)\sERROR
- (?P<volume>.*?)\sVolume
- (?P<tpm>.*?)\sTPM
0 Karma

Motivator

Let's say that it is always the first word in each event line then can you try this please:

your query to return events
| rex "^(?<myField>[^\s]+)\s*"
| table myField

See extraction here

View solution in original post

0 Karma

Builder

Thanks gokadroid.