- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write regex to extract fields at search-tim...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write regex to extract fields at search-time?
Hi-
I have the sample logs below and I want the output to be in this format.
1st Columns = BatchJobsName
2nd Col = Date
3rd Col = Start Time
4th Col = End Time
5th Col = Results
where: The BatchJobsName column is the "emailJustifications" or the "sendBelga" in the sample logs below;
The Date is the date found in "fired at:" in the sample logs below;
The Start Time is the time found in "fired (by trigger DEFAULT.emailJustificationsSimpleTrigger) at:";
The End Time is the time found in "Job DEFAULT.emailJustificationsJobLauncher fired at:";
The Result is the "result="
SAMPLE LOGS:
2014-09-05 23:57:24,644 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.emailJustificationsJobLauncher fired at: 05/09/2014 23:59:24 result=OK
2014-09-05 23:57:24,531 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.emailJustificationsJobLauncher fired (by trigger DEFAULT.emailJustificationsSimpleTrigger) at: 23:57:19 09/05/2014
2014-09-05 23:55:00,723 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.sendBelgaJobLauncherUST fired at: 05/09/2014 23:55:00 result=ERROR
2014-09-05 23:55:00,712 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.sendBelgaLauncherUST fired (by trigger DEFAULT.sendBelgaTriggerUST) at: 21:55:00 09/05/2014
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi isaias.Garcia,
based on the provided examples, try something like this:
your base search here
| rex "(?<=DEFAULT\.)(?<BatchJobsName>.+)(?=(JobLauncher)|(Launcher))"
| rex "(?<=fired\sat\:\s\s)(?<Date>.+?)(?=\s)"
| rex "(?<=at\:\s\s)(?<StartTime>.+?)(?=\s(\d+\/){2}\d+)"
| rex "(?<=(\d{2}\/){2}\d{4}\s)(?<EndTime>.+?)(?=\s)"
each regex will provide a new field which can be used in further Splunk commands. Regarding the result=OK or result=ERROR, this field should be extracted by Splunk already because it is key value based.
As soon as the result matches your needs, setup auto field extraction based on the regex - see the docs about Add fields at search time
hope that helps ... and yes there are probably better regex, but this should get you started.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
updated some regex...
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
