Re: How to use rex to extract the values?

ewise1 · ‎05-25-2017

I want to make a table that shows ACTION, DATABASE USER, PRIVILEGE, CLIENT USER and DBID; I want the value between ' '. My field extraction and rex fails. Please advice.

Sat May 20 23:59:45 2017
LENGTH : '426'
ACTION :[278] 'select sofar, context, start_time from v$session_longops where (start_time > nvl(:1, sysdate-100) or start_time = nvl(:2, sysdate+100)) and sid = :3 and serial# = :4 and opname like 'RMAN:%' order by start_time desc, context desc'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'bing'
CLIENT TERMINAL:[0] ''
STATUS:[1] '0'
DBID:[9] '000000000'

MuS · ‎05-25-2017

Hi ewise1,

take a look at this answer https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html to learn how it can be done.

Your regex would be something like this:

 ^(\w+\s\w+|^\w+)[\s:\[\d\]]+'(.+)'

hope this helps ...

cheers, MuS

ewise1 · ‎05-26-2017

MuS,

thanks for your response, referring to the link you mentioned I should say that I don't have access to transform.conf.

MuS · ‎05-26-2017

How come? transforms.conf can be created/modified in the UI under settings - fields - field transformation

Read this https://answers.splunk.com/answers/149597/im-struggling-with-how-i-should-be-doing-inputs-and-also-p... which explains how the options of props and transforms maps to the UI.
cheers, MuS

How to use rex to extract the values?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation