Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write regex to extract fields at search-time?

Isaias_Garcia
Path Finder
‎09-07-2014 11:31 PM

Hi-

I have the sample logs below and I want the output to be in this format.

1st Columns = BatchJobsName
2nd Col = Date
3rd Col = Start Time
4th Col = End Time
5th Col = Results

where: The BatchJobsName column is the "emailJustifications" or the "sendBelga" in the sample logs below;
The Date is the date found in "fired at:" in the sample logs below;
The Start Time is the time found in "fired (by trigger DEFAULT.emailJustificationsSimpleTrigger) at:";
The End Time is the time found in "Job DEFAULT.emailJustificationsJobLauncher fired at:";
The Result is the "result="

SAMPLE LOGS:

2014-09-05 23:57:24,644 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.emailJustificationsJobLauncher fired at: 05/09/2014 23:59:24 result=OK
2014-09-05 23:57:24,531 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.emailJustificationsJobLauncher fired (by trigger DEFAULT.emailJustificationsSimpleTrigger) at: 23:57:19 09/05/2014

2014-09-05 23:55:00,723 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.sendBelgaJobLauncherUST fired at: 05/09/2014 23:55:00 result=ERROR
2014-09-05 23:55:00,712 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.sendBelgaLauncherUST fired (by trigger DEFAULT.sendBelgaTriggerUST) at: 21:55:00 09/05/2014

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-08-2014 01:26 AM

Hi isaias.Garcia,

based on the provided examples, try something like this:

your base search here 
| rex "(?<=DEFAULT\.)(?<BatchJobsName>.+)(?=(JobLauncher)|(Launcher))"
| rex "(?<=fired\sat\:\s\s)(?<Date>.+?)(?=\s)"
| rex "(?<=at\:\s\s)(?<StartTime>.+?)(?=\s(\d+\/){2}\d+)"
| rex "(?<=(\d{2}\/){2}\d{4}\s)(?<EndTime>.+?)(?=\s)"

each regex will provide a new field which can be used in further Splunk commands. Regarding the result=OK or result=ERROR, this field should be extracted by Splunk already because it is key value based.
As soon as the result matches your needs, setup auto field extraction based on the regex - see the docs about Add fields at search time

hope that helps ... and yes there are probably better regex, but this should get you started.

cheers, MuS

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-08-2014 02:34 AM

updated some regex...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...