How to write regex to extract this line in this ve...

lsy9891 · ‎09-11-2019

Hi, I have a field called message:

Message="Fault bucket , type 0
Event Name: ServiceHang
Response: Not available
Cab Id: 0

Problem signature:
P1: MonsterWindowsService
P2: Monster.Services.Windows.ServiceBase.exe
P3: 2019.15.0.12
P4: 10
P5: 2
P6:
P7:
P8:
P9:
P10:

Attached files:

These files may be available here:

Analysis symbol:
Rechecking for solution: 0
Report Id: f9938371-b8d1-11e9-8f94-00505682bfbe
Report Status: 0"

And I'm trying to extract the line in bold? Is this possible or is there an easier way other than to write the regex?

MuS · ‎09-11-2019

Hi lsy9891,

try this:

| makeresults 
| eval Message="Fault bucket , type 0
Event Name: ServiceHang
Response: Not available
Cab Id: 0

Problem signature:
P1: MonsterWindowsService
P2: Monster.Services.Windows.ServiceBase.exe
P3: 2019.15.0.12
P4: 10
P5: 2
P6: 
P7: 
P8: 
P9: 
P10:

Attached files:

These files may be available here:


Analysis symbol: 
Rechecking for solution: 0
Report Id: f9938371-b8d1-11e9-8f94-00505682bfbe
Report Status: 0" 
| rex field="Message" "P1: (?<my_P1_field>.+)"

The field called my_P1_field will contain MonsterWindowsService.

Hope this helps ...

cheers, MuS

How to write regex to extract this line in this very long field?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms