Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write the regex to extract and list values occurring after a constant string?

pavanae
Builder
‎10-06-2015 11:37 AM

The following were my search results:

processor.ProcSavePriceInfoObjects.writeProperties(ProcSavePriceInfoObjects.java:1424)
processor.ProcSavePriceInfoObjects.saveSubtotalPriceInfos(ProcSavePriceInfoObjects.java:1180)
processor.ProcSavePriceInfoObjects.saveShippingItemsSubtotalPriceInfos(ProcSavePriceInfoObjects.java:1076)
processor.ProcSavePriceInfoObjects.savePriceInfo(ProcSavePriceInfoObjects.java:1052)
processor.ProcSavePriceInfoObjects.saveOrderPriceInfo(ProcSavePriceInfoObjects.java:807)
processor.ProcSavePriceInfoObjects.runProcess(ProcSavePriceInfoObjects.java:716)

Now I want list out only the results occurring after the "processor.proc"

How to write a regex in Splunk as needed?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PGrantham
Path Finder
‎10-06-2015 12:33 PM

Something like:

index=<your index> | rex field=_raw "processor.Proc(?<new_field>[^\s]+)" | stats values(new_field)

This will create a new field called "new_field" and add everything after the "processor.Proc" up until the next space. If what you're showing is a single, multilined event, then you would need to add max_match=0 to the rex command and change the "\s" to a "\n". So it would look liked:

 index=<your index> | rex max_match=0 field=_raw "processor.Proc(?<new_field>[^\n]+)" | stats values(new_field)

Hope that helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

PGrantham
Path Finder
‎10-06-2015 12:33 PM

Something like:

index=<your index> | rex field=_raw "processor.Proc(?<new_field>[^\s]+)" | stats values(new_field)

This will create a new field called "new_field" and add everything after the "processor.Proc" up until the next space. If what you're showing is a single, multilined event, then you would need to add max_match=0 to the rex command and change the "\s" to a "\n". So it would look liked:

 index=<your index> | rex max_match=0 field=_raw "processor.Proc(?<new_field>[^\n]+)" | stats values(new_field)

Hope that helps.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2015 12:23 PM

Are we looking at a single field or the entire event?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...