Solved: Re: How to write the regex to extract semicolon de...

ismarslomic · ‎04-01-2015

I have the following log statement, which uses semicolon delimiter and where i want to extract columns as specific fields with use of Regex in IFX.

[1427894078] SERVICE ALERT: example.com ;Current Load;CRITICAL;SOFT;3;CRITICAL - load average: 1.96, 1.29, 0.59

However, I'm not so good at Regex so would need help to create 4 separate regular expressions (will be saved as 4 different fields) which returns following results:

[1427894078] SERVICE ALERT: example.com
Current Load
CRITICAL;SOFT;3
CRITICAL - load average: 1.96, 1.29, 0.59

aljohnson_splun · ‎04-01-2015

^(?P<alert>.*?) ;
(?P<stuff>.*?);
(?P<more_stuff>\w+;\w+;\d+);
(?P<ending_stuff>.*)$

Here is a nice tool for trying it out yourself and testing.

https://regex101.com/r/kC3gH0/1

View solution in original post

romdece · ‎07-17-2015

The FIND (match) expression can be the following:

^(.*?);(.*?);(CRITICAL.*?);(CRITICAL.*)$

The REPLACE or EXTRACTION code the next one

$1\r\n$2\r\n\r\n$3\r\n$4\r\n

The \r\n standing for CR/LF.

In a PERL-transformation-routine \n would be sufficient.

More details are needed to make a real PERL-transformation-routine out of it.

You can contact me on romdeclercq at skynet dot be

Kind Regards,

Romain.

aljohnson_splun · ‎04-01-2015

^(?P<alert>.*?) ;
(?P<stuff>.*?);
(?P<more_stuff>\w+;\w+;\d+);
(?P<ending_stuff>.*)$

Here is a nice tool for trying it out yourself and testing.

https://regex101.com/r/kC3gH0/1

ismarslomic · ‎04-01-2015

Thanks, this works and solves my need!

masonmorales · ‎04-01-2015

Try this:

| rex "^(?<field1>[^;]+);(?<field2>[^;]+);(?<field3>w+;\w+;\d);(?<field4>.+)"

Sorry, here's a fixed version (copy/paste it to the end of your search verbatem):

| rex "^(?<field1>[^;]+);(?<field2>[^;]+);(?<field3>[^;]+;[^;]+;[^;]+);(?<field4>.+)$"

Screenshot: http://tinypic.com/r/2vj8tvd/8

ismarslomic · ‎04-01-2015

When I copy/paste ^(?[^;]+);(?[^;]+);(?w+;\w+;\d);(?.+) in the input field "Regular expression pattern" I get error message

Invalid regex: syntax error

and

Regex does not extract any named fields.

masonmorales · ‎04-01-2015

Did you include the quotation marks?

ismarslomic · ‎04-01-2015

No. Please see screenshot http://tinypic.com/r/35i2afs/8

masonmorales · ‎04-01-2015

Edited original post. Retry please.

masonmorales · ‎04-01-2015

Don't use the interactive field extraction. Just add-it onto your search.

masonmorales · ‎04-01-2015

Please click "Accept Answer" if this worked

ismarslomic · ‎04-01-2015

I cant accept that comment as answer.. It seems like i need to move it to Reply, but I dont have access to do it

ismarslomic · ‎04-01-2015

Sorry, but it still doesnt work. However, reply from @aljohnson_splunk solved the problem. Thanks to both of you!

ismarslomic · ‎04-01-2015

No, still same error message.

How to write the regex to extract semicolon delimited fields?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM