How to write regex to extract this line in this ve...

lsy9891 · ‎09-11-2019

Hi, I have a field called message:

Message="Fault bucket , type 0
Event Name: ServiceHang
Response: Not available
Cab Id: 0

Problem signature:
P1: MonsterWindowsService
P2: Monster.Services.Windows.ServiceBase.exe
P3: 2019.15.0.12
P4: 10
P5: 2
P6:
P7:
P8:
P9:
P10:

Attached files:

These files may be available here:

Analysis symbol:
Rechecking for solution: 0
Report Id: f9938371-b8d1-11e9-8f94-00505682bfbe
Report Status: 0"

And I'm trying to extract the line in bold? Is this possible or is there an easier way other than to write the regex?

MuS · ‎09-11-2019

Hi lsy9891,

try this:

| makeresults 
| eval Message="Fault bucket , type 0
Event Name: ServiceHang
Response: Not available
Cab Id: 0

Problem signature:
P1: MonsterWindowsService
P2: Monster.Services.Windows.ServiceBase.exe
P3: 2019.15.0.12
P4: 10
P5: 2
P6: 
P7: 
P8: 
P9: 
P10:

Attached files:

These files may be available here:


Analysis symbol: 
Rechecking for solution: 0
Report Id: f9938371-b8d1-11e9-8f94-00505682bfbe
Report Status: 0" 
| rex field="Message" "P1: (?<my_P1_field>.+)"

The field called my_P1_field will contain MonsterWindowsService.

Hope this helps ...

cheers, MuS

How to write regex to extract this line in this very long field?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

How to write regex to extract this line in this very long field?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!