Splunk Search

How to write the regex to extract semicolon delimited fields?

ismarslomic
Path Finder

I have the following log statement, which uses semicolon delimiter and where i want to extract columns as specific fields with use of Regex in IFX.

[1427894078] SERVICE ALERT: example.com ;Current Load;CRITICAL;SOFT;3;CRITICAL - load average: 1.96, 1.29, 0.59

However, I'm not so good at Regex so would need help to create 4 separate regular expressions (will be saved as 4 different fields) which returns following results:

  1. [1427894078] SERVICE ALERT: example.com
  2. Current Load
  3. CRITICAL;SOFT;3
  4. CRITICAL - load average: 1.96, 1.29, 0.59
0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee
^(?P<alert>.*?) ;
(?P<stuff>.*?);
(?P<more_stuff>\w+;\w+;\d+);
(?P<ending_stuff>.*)$

Here is a nice tool for trying it out yourself and testing.

https://regex101.com/r/kC3gH0/1

View solution in original post

romdece
New Member

The FIND (match) expression can be the following:

^(.*?);(.*?);(CRITICAL.*?);(CRITICAL.*)$

The REPLACE or EXTRACTION code the next one

$1\r\n$2\r\n\r\n$3\r\n$4\r\n

The \r\n standing for CR/LF.

In a PERL-transformation-routine \n would be sufficient.

More details are needed to make a real PERL-transformation-routine out of it.

You can contact me on romdeclercq at skynet dot be

Kind Regards,

Romain.

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee
^(?P<alert>.*?) ;
(?P<stuff>.*?);
(?P<more_stuff>\w+;\w+;\d+);
(?P<ending_stuff>.*)$

Here is a nice tool for trying it out yourself and testing.

https://regex101.com/r/kC3gH0/1

ismarslomic
Path Finder

Thanks, this works and solves my need!

0 Karma

masonmorales
Influencer

Try this:

| rex "^(?<field1>[^;]+);(?<field2>[^;]+);(?<field3>w+;\w+;\d);(?<field4>.+)"

Sorry, here's a fixed version (copy/paste it to the end of your search verbatem):

| rex "^(?<field1>[^;]+);(?<field2>[^;]+);(?<field3>[^;]+;[^;]+;[^;]+);(?<field4>.+)$"

Screenshot: http://tinypic.com/r/2vj8tvd/8

ismarslomic
Path Finder

When I copy/paste ^(?[^;]+);(?[^;]+);(?w+;\w+;\d);(?.+) in the input field "Regular expression pattern" I get error message

Invalid regex: syntax error

and

Regex does not extract any named fields.

0 Karma

masonmorales
Influencer

Did you include the quotation marks?

0 Karma

ismarslomic
Path Finder

No. Please see screenshot http://tinypic.com/r/35i2afs/8

0 Karma

masonmorales
Influencer

Edited original post. Retry please.

0 Karma

masonmorales
Influencer

Don't use the interactive field extraction. Just add-it onto your search.

0 Karma

masonmorales
Influencer

Please click "Accept Answer" if this worked

0 Karma

ismarslomic
Path Finder

I cant accept that comment as answer.. It seems like i need to move it to Reply, but I dont have access to do it

0 Karma

ismarslomic
Path Finder

Sorry, but it still doesnt work. However, reply from @aljohnson_splunk solved the problem. Thanks to both of you!

0 Karma

ismarslomic
Path Finder

No, still same error message.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...