How to write regex to extract this line in this ve...

lsy9891 · ‎09-11-2019

Hi, I have a field called message:

Message="Fault bucket , type 0
Event Name: ServiceHang
Response: Not available
Cab Id: 0

Problem signature:
P1: MonsterWindowsService
P2: Monster.Services.Windows.ServiceBase.exe
P3: 2019.15.0.12
P4: 10
P5: 2
P6:
P7:
P8:
P9:
P10:

Attached files:

These files may be available here:

Analysis symbol:
Rechecking for solution: 0
Report Id: f9938371-b8d1-11e9-8f94-00505682bfbe
Report Status: 0"

And I'm trying to extract the line in bold? Is this possible or is there an easier way other than to write the regex?

MuS · ‎09-11-2019

Hi lsy9891,

try this:

| makeresults 
| eval Message="Fault bucket , type 0
Event Name: ServiceHang
Response: Not available
Cab Id: 0

Problem signature:
P1: MonsterWindowsService
P2: Monster.Services.Windows.ServiceBase.exe
P3: 2019.15.0.12
P4: 10
P5: 2
P6: 
P7: 
P8: 
P9: 
P10:

Attached files:

These files may be available here:


Analysis symbol: 
Rechecking for solution: 0
Report Id: f9938371-b8d1-11e9-8f94-00505682bfbe
Report Status: 0" 
| rex field="Message" "P1: (?<my_P1_field>.+)"

The field called my_P1_field will contain MonsterWindowsService.

Hope this helps ...

cheers, MuS

How to write regex to extract this line in this very long field?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to write regex to extract this line in this very long field?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES