How to write regex to extract this line in this ve...

lsy9891 · ‎09-11-2019

Hi, I have a field called message:

Message="Fault bucket , type 0
Event Name: ServiceHang
Response: Not available
Cab Id: 0

Problem signature:
P1: MonsterWindowsService
P2: Monster.Services.Windows.ServiceBase.exe
P3: 2019.15.0.12
P4: 10
P5: 2
P6:
P7:
P8:
P9:
P10:

Attached files:

These files may be available here:

Analysis symbol:
Rechecking for solution: 0
Report Id: f9938371-b8d1-11e9-8f94-00505682bfbe
Report Status: 0"

And I'm trying to extract the line in bold? Is this possible or is there an easier way other than to write the regex?

MuS · ‎09-11-2019

Hi lsy9891,

try this:

| makeresults 
| eval Message="Fault bucket , type 0
Event Name: ServiceHang
Response: Not available
Cab Id: 0

Problem signature:
P1: MonsterWindowsService
P2: Monster.Services.Windows.ServiceBase.exe
P3: 2019.15.0.12
P4: 10
P5: 2
P6: 
P7: 
P8: 
P9: 
P10:

Attached files:

These files may be available here:


Analysis symbol: 
Rechecking for solution: 0
Report Id: f9938371-b8d1-11e9-8f94-00505682bfbe
Report Status: 0" 
| rex field="Message" "P1: (?<my_P1_field>.+)"

The field called my_P1_field will contain MonsterWindowsService.

Hope this helps ...

cheers, MuS

How to write regex to extract this line in this very long field?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

How to write regex to extract this line in this very long field?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I