Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use rex command to extract value from the end of an event?

jambraun
Explorer
‎09-22-2016 03:03 PM

I know this type of question has been asked many times before, but I haven't been able to get results from using REX. Time to ask an expert.

Here's a typical event from a search:

9/22/16
4:55:03.000 PM  

2016-09-22 20:55:03+00:00 server.domain.com F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 = STRING: All devices in the device group are in sync

host = server  
 source = /data/snmp/team_metrics_f5/teamMetricsF5__2016-09-22__server.log  
 sourcetype =team_metrics_snmp

I want to capture the value after STRING: "; e.g "All devices in the device group are in sync. This won't always be the value of course.

Here's the search string I was toying with that yielded 0 results:

index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<\Sync_Status>\d+)$" | table Sync_Status
index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?"<\sync_status>\w+)$" | table Sync_Status

I couldn't figure out how to get the "<" to show up, so ignore the "\" in the field name

Thanks everyone!

--Jarred

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lquinn
Contributor
‎09-22-2016 04:15 PM

I think the structure of your query is fine - your regex just doesn't quite work. The first one you tried is looking for a string of digits, the second one a string of word characters. Neither of these look for spaces so if you are trying to capture a string which contains spaces you will need to add this into your regex as well. So you could use something like this ...

index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>[\w\s]+)$" | table Sync_Status

Alternatively, you could open your regex up further, in case other characters might appear in the string, by using .* like this ...

 index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>.*)$" | table Sync_Status

View solution in original post

Reply
Solved! Jump to solution
Solution

lquinn
Contributor
‎09-22-2016 04:15 PM

I think the structure of your query is fine - your regex just doesn't quite work. The first one you tried is looking for a string of digits, the second one a string of word characters. Neither of these look for spaces so if you are trying to capture a string which contains spaces you will need to add this into your regex as well. So you could use something like this ...

index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>[\w\s]+)$" | table Sync_Status

Alternatively, you could open your regex up further, in case other characters might appear in the string, by using .* like this ...

 index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>.*)$" | table Sync_Status
Reply
Solved! Jump to solution

jambraun
Explorer
‎09-22-2016 05:02 PM

Brilliant. Thank you! I'm still learning syntax. I know there are about 10 different ways to accomplish this but I particularly like the catch all *.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-22-2016 04:14 PM

Hi jambraun,

your regex either matches only number or any word character. So by changing it into this:

index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 
| rex "STRING: (?<Sync_Status>[^$]+?)$" 
| table Sync_Status

you should be able to get everything after STRING until the end of line. Tested and working on regex101.com

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

jambraun
Explorer
‎09-22-2016 05:03 PM

Works as well 🙂 Thank you for the example.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top