- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write regex to extract my field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write regex to extract my field?
Hi, i'm try using the interactive field extractor tools create a field for this
"Exception Message"="Thread was being aborted."
but getting following error "The generated regex was unable to match all examples (e.g., =, Thread was being aborted., Exception Message). Consider entering different examples, or manually editing the regex."
any suggestion a regex syntax or how to auto detect the field it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're asking about extracting the field name along with the field value, you can do that with a combination of props.conf and transforms.conf:
props.conf
[your_sourcetype]
REPORT-kv = extract_quoted_fields
...
transforms.conf
[extract_quoted_fields]
REGEX = "(?<_KEY_1>([^"]|\\")+)"\s*=\s*"(?<_VAL_1>([^"]|\\")+)"
Make sure my Q'n'D regex actually suits your data, didn't test it myself. The main thing is to use the magic _KEY_x and _VAL_x names to extract both field names and field values in one swoop.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For Search time
your base search | rex field=_raw "\"Exception Message\"=\"(?<ExceptionMessage>[^\"]*)\""
In Props.conf
EXTRACT-exceptionmsg = \"Exception Message\"=\"(?<ExceptionMessage>[^\"]*)\"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
works great, but how to setup it up so that splunk automatic recognize fields based on
"Exception Message"="*"
for example splunk recognize this Source=OAA.Security.PassiveSTS.Shell automatic assigning "Source" as the field,
thank-you for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Exception Message"="Thread was being aborted.", Source=OAA.Security.PassiveSTS.Shell, TargetSite="Void SignOutRequest()", WindowsIdentity="IIS APPPOOL\Test.com"
Above is the logs, but splunk auto assign the field to "Source" ,"TargetSite" and "WindowsIdentity" but not "Exception Message" or maybe the "
i want extract exception message "Exception Message"="*" or better to have it in props.conf to auto assign it.
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post some complete sample events, along with the what string to extract?
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
