Solved: How to use rex command to extract this field from ...

Abilan1 · ‎08-26-2015

Hi ,

COSE#1017 Associated kernel not found. Please see Enterprise Server log for details: SocID:19041 PID:13695 BSFN:CustomShipConfirmWrapper user:AIAINBND

I want to create that highlighted term as a new event field. It may vary in length in following events. Could anyone help me?

Thanks

MuS · ‎08-26-2015

Hi Abilan1,

try something like this, which is based on your provided example:

your base search here | rex "\sBSFN:(?<myField>[^\s]*)" | table myField

cheers, MuS

View solution in original post

Richfez · ‎08-26-2015

If BSFN is a constant, which it appears to be, something as simple as

 ... | rex "BSFN:(?<GiveMeAName>\w+)"

That says

BSFN: Match the string "BSFN:" (including the colon)

(? Then extract a field named "GiveMeAName"

\w+ Which consists of one or more "word" type characters (letters)

) And finally close off this extraction.

Abilan1 · ‎08-26-2015

Thank You rich!!! it worked

MuS · ‎08-26-2015

Hi Abilan1,

try something like this, which is based on your provided example:

your base search here | rex "\sBSFN:(?<myField>[^\s]*)" | table myField

cheers, MuS

Abilan1 · ‎08-26-2015

Thank You MuS!!

How to use rex command to extract this field from my sample log?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor